Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-02-20 04:53:42 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Add OAuth 2.0 token revocation

Browse source 
As per MSC4254

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
This commit is contained in:
Kévin Commaille 2025-05-25 14:49:53 +02:00
parent 687e8c3c22
commit 433f1d733c
No known key found for this signature in database
GPG key ID: F26F4BE20A08255B
1 changed files with 49 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
content/client-server-api/_index.md
View file

@ -1481,6 +1481,55 @@ MAY reject weak passwords with an error code `M_WEAK_PASSWORD`.
### OAuth 2.0 API
#### Token revocation
When a user wants to log out from a client, the client SHOULD use OAuth 2.0
token revocation as defined in [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009).
The client makes a `POST` request to the `revocation_endpoint` that can be found
in the authorization server metadata.
The body of the request includes the following parameters, encoded as
`application/x-www-form-urlencoded`:
- `token`: This parameter MUST contain either the access token or the refresh
token to be revoked.
- `token_type_hint`: This parameter is OPTIONAL, and if present, MUST have a
value of either `access_token` or `refresh_token`. The server MAY use this
value to optimize the token lookup process.
- `client_id`: The client identifier obtained during client registration. This
parameter is OPTIONAL.
If the `client_id` is not provided, or does not match the client associated
with the token, the server SHOULD still revoke the token. This behavior is
meant to help good actors like secret scanning tools to proactively revoke
leaked tokens. The server MAY also warn the user that one of their sessions
may be compromised in this scenario.
For example, revoking using the access token:
```
POST /oauth2/revoke HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded
token=mat_ooreiPhei2wequu9fohkai3AeBaec9oo&
token_type_hint=access_token&
client_id=s6BhdRkqt3
```
The server MUST revoke both the access token and refresh token associated with
the token provided in the request.
The server SHOULD return one of the following responses:
- If the token is already revoked or invalid, the server returns a `200 OK`
response
- If the client is not authorized to revoke the token, the server returns a
`401 Unauthorized` response
- For other errors, the server returns a `400 Bad Request` response with error
details
### Account moderation
#### Account locking