The refresh token should be revocable

in utopian-io •  last year


This proposal is about the OAuth2 module of SteemConnect. To be more precise - about the endpoint.


At the moment, there is no way to revoke refresh token via the endpoint.

Currently, this endpoint revokes the access token provided in the Authorization header. I believe it would be really useful for developers to be able to also revoke the refresh token.

Mockups / Examples

My proposal is to change the current behavior of the endpoint. Here is how it IMO could work:
proposal headers
proposal body

The core concept is that not the access_token provided in the Authorization header is being revoked, but token provided in the request's body.

It would enable a developer to implement revoking both refresh token and access token using the same endpoint.

As you can see, the headers section would include:

  • Content-Type: application/x-www-form-urlencoded
  • Accept: application/json
  • Authorization: <access_token>

and body:

  • token, the access_token or refresh_token to revoke
  • token_type_hint, there developer should specify the type of token (access_token or refresh_token) provided in the token field

In my opinion, if token_type_hint was refresh_token, SteemConnect should revoke both access token and refresh token.

If token_type_hint was access_token, SteemConnect should only revoke access token.

For more information check this paper:


With revocable refresh token via the /api/oauth2/token/revoke endpoint, a developer would be able to delete all tokens of the user if one didn't need them anymore. My proposal would enable to use offline scope more safety.

Posted on - Rewarding Open Source Contributors

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Your contribution cannot be approved because it does not follow the Utopian Rules.

Your suggestion has to do with the usage of the platform created by the project owner platform and not to do with a suggestion relating to a technical issue to increase the running of the platform.

You can contact us on Discord.


I'm not sure if you understood both my contribution and how the SteemConnect works.

SteemConnect is not only an app for (for example) generating hot signing links. It is also an OAuth2 service for developers that allow them to implement authentication flow for their app.

Suggestions may only relate to significant technical aspects of the project (rather than processes or organisational issues).

I believe my contribution is related to significant technical aspects of the project - revoking tokens is an essential feature for OAuth2 service.

Suggestions are minor features / enhancements to an Open Source project.

Revocable refresh token is a minor feature idd.


Hey @sunray, I just gave you a tip for your hard work on moderation. Upvote this comment to support the utopian moderators and increase your future rewards!

Hi @jakipatryk, This contribution has been verified after reevaluation. Thank you.

You can contact us on Discord.

Nice! Promoted for 0.008SBD! :-]

Hey @jakipatryk I am @utopian-io. I have just upvoted you!


  • You have less than 500 followers. Just gave you a gift to help you succeed!
  • Seems like you contribute quite often. AMAZING!


  • Contribute more often to get higher and higher rewards. I wish to see you often!
  • Work on your followers to increase the votes/rewards. I follow what humans do and my vote is mainly based on that. Good luck!

Get Noticed!

  • Did you know project owners can manually vote with their own voting power or by voting power delegated to their projects? Ask the project owner to review your contributions!

Community-Driven Witness!

I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!


Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord