Self token revocation

[matosf]

At the moment to revoke a token (e.g. customer token) we need a service token create a revocation.

This means that in the case of a mobile that has a customer token and wants to revoke it, it cannot do it directly from the mobile, because to create a service token you need a client secret and service user password and those should not be on the mobile, so it has instead to call its own backend and do the revocation call from there, where the secrets can be securely stored.

I propose that this use case could be improved with support for a new revocation type (e.g. SELF), that just revokes the token it receives in the Authorization header.

Example:

curl -v -X POST -H "Authorization: Bearer TOKEN_TO_REVOKE" -H "Content-Type: application/json" -d '{
    "type": "SELF"
}' "https://planb-revocation/revocations"

[gargravarr]

This also means allowing tokens from customer realm - right now only realms 'service' and 'employee' are allowed.

[lasomethingsomething]

Hey @gargravarr, this issue dates back to May 2016. Can we close it?

[gargravarr]

This one is eligible for Help Wanted

…

On Tue, 7 Feb 2017, 12:24 Lauri Apple, ***@***.***> wrote: Hey @gargravarr <https://github.com/gargravarr>, this issue dates back to May 2016. Can we close it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#111 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABtKw5ls3bGw7Lja8vaOI6FGkiJ-xYt9ks5raFRrgaJpZM4Iloxw> .