The refresh token should be revocable by jakipatryk

View this thread on: hive.blog | peakd.com | ecency.com

utopian-io · @jakipatryk · Apr 1 '18 (edited)

$8.52

The refresh token should be revocable

#### Components
This proposal is about the **OAuth2** module of **SteemConnect**. To be more precise - about the `https://steemconnect.com/api/oauth2/token/revoke` endpoint.

#### Proposal
At the moment, there is no way to revoke refresh token via the `https://steemconnect.com/api/oauth2/token/revoke` endpoint. 

Currently, this endpoint revokes the *access token* provided in the *Authorization* header.  I believe it would be really useful for developers to be able to also revoke the *refresh token*.

#### Mockups / Examples
My proposal is to change the current behavior of the `https://steemconnect.com/api/oauth2/token/revoke` endpoint. Here is how it IMO could work:
![proposal headers](https://cdn.utopian.io/posts/96424f941001c5086f945098fe2d11f3c3deimage.png)
![proposal body](https://cdn.utopian.io/posts/302082216a22db2ab6fef8e20b21a912a96eimage.png)

The core concept is that **not** the **access_token** provided in the *Authorization* header is being revoked, but **token** provided in the request's body.

It would enable a developer to implement revoking both **refresh token** and **access token** using the same endpoint.

As you can see, the **headers** section would include:
- *Content-Type: application/x-www-form-urlencoded*
- *Accept: application/json*
- *Authorization: <access_token>*

and **body**:
- *token*, the access_token or refresh_token to revoke
- *token_type_hint*, there developer should specify the type of token (*access_token* or *refresh_token*) provided in the token field

In my opinion, if ***token_type_hint*** was *refresh_token*, SteemConnect **should revoke both** access token and refresh token.

If ***token_type_hint*** was *access_token*, SteemConnect **should only revoke** access token.

For more information check this paper:
- https://tools.ietf.org/pdf/rfc7009.pdf

#### Benefits
With revocable refresh token via the `/api/oauth2/token/revoke` endpoint, a developer would be able to delete all tokens of the user if one didn't need them anymore. My proposal would enable to use `offline` scope more safety.

<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@jakipatryk/refresh-token-is-not-revocable">Utopian.io -  Rewarding Open Source Contributors</a></em><hr/>

👍 utopian-io, ruth-girl, jakipatryk, kirkins, jamzed, jacekw, statsexpert, mys, alcik, bocik, mathias240, cryptos, raidho, pibyk, piotr42, piotr-galas, lionindayard, m-san, tinowhale, conceptskip, marekkaminski, malay11, genoner, birgitt, zgredek, smafey, mkt, nazarblue, mamicco, qanon1111, fromhell2sky, enjoyy, toninux, daszod, kryptorero, tentalavera, iptrucs, derianalanrojas, carment, ceszar, roxso, nudgent, otto11, akislam, siriusgaia, bahagia9, aksapphires, rechellomataro, count-antonio, khairulfahmi92, zcool, andreas-winkler, t-flames, thinkermyles, handfree42, finanzamt, piotrassnk

properties (23)vote details (57)

voter	rshares	pct
akislam	110,733,114	24.5%
cryptos	4,988,304,867	5%
jamzed	19,038,494,051	100%
siriusgaia	110,670,995	4.9%
kirkins	23,798,089,093	50%
toninux	256,654,633	24.5%
malay11	850,031,150	24.5%
mys	8,845,707,212	10%
jakipatryk	43,609,160,820	100%
mkt	563,935,685	1.52%
pibyk	4,105,749,785	100%
ruth-girl	159,541,780,188	100%
jacekw	12,917,032,125	100%
alcik	7,545,817,853	100%
ceszar	144,219,869	24.5%
smafey	573,694,718	24.5%
birgitt	656,950,253	24.5%
derianalanrojas	157,491,885	24.5%
m-san	1,485,681,030	100%
mathias240	6,630,046,780	100%
nudgent	138,035,911	24.5%
zgredek	611,952,180	100%
utopian-io	3,161,861,374,736	1.68%
bocik	6,656,320,258	100%
raidho	4,842,944,442	100%
tentalavera	168,495,005	5%
enjoyy	271,192,944	24.5%
iptrucs	167,330,429	15%
thinkermyles	67,686,722	14.7%
handfree42	61,362,257	24.5%
piotrassnk	0	100%
tinowhale	1,209,916,765	49%
piotr-galas	3,408,003,695	100%
fromhell2sky	294,603,961	24.5%
piotr42	4,018,882,664	100%
mamicco	484,864,830	100%
nazarblue	559,514,392	100%
otto11	112,221,117	24.5%
zcool	101,380,399	10%
khairulfahmi92	104,085,398	24.5%
lionindayard	1,633,666,983	10%
carment	144,868,725	24.5%
daszod	256,146,729	49%
genoner	807,945,644	46.55%
andreas-winkler	101,057,918	25%
statsexpert	10,823,531,739	81%
count-antonio	104,507,647	24.5%
roxso	144,181,923	24.5%
finanzamt	58,721,458	9.8%
rechellomataro	107,597,778	24.5%
t-flames	74,093,527	24.5%
kryptorero	239,842,734	24.5%
bahagia9	109,119,964	24.5%
conceptskip	942,879,369	100%
marekkaminski	910,030,842	100%
aksapphires	107,702,759	24.5%
qanon1111	346,554,101	100%

@knowledges · Apr 1 '18

$0.10

Hi @jakipatryk, This contribution has been verified after reevaluation. Thank you.

You can contact us on [Discord](https://discord.gg/uTyJkNm).
**[[utopian-moderator]](https://utopian.io/moderators)**

👍 jakipatryk, knowledges

`author`	knowledges
`permlink`	re-jakipatryk-refresh-token-is-not-revocable-20180401t191905861z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"community":"utopian","app":"utopian/1.0.0"}
`created`	2018-04-01 19:19:12
`last_update`	2018-04-01 19:19:12
`depth`	1
`children`	0
`last_payout`	2018-04-08 19:19:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.100 HBD
`curator_payout_value`	0.001 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	201
`author_reputation`	98,021,227,622,369
`root_title`	"The refresh token should be revocable"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	47,816,237
`net_rshares`	35,262,301,900
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
jakipatryk	0 B		23,739,042,916	50%
knowledges	0 B		11,523,258,984	100%

@marekkaminski · Mar 30 '18

$0.06

Nice! Promoted for 0.008SBD! :-]

👍 jakipatryk

`author`	marekkaminski
`permlink`	re-jakipatryk-refresh-token-is-not-revocable-20180330t163046006z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"app":"steemit/0.1"}
`created`	2018-03-30 16:30:15
`last_update`	2018-03-30 16:30:15
`depth`	1
`children`	0
`last_payout`	2018-04-06 16:30:15
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.053 HBD
`curator_payout_value`	0.007 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	32
`author_reputation`	518,150,328,063
`root_title`	"The refresh token should be revocable"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	47,482,365
`net_rshares`	20,656,970,915
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
jakipatryk	0 B		20,656,970,915	50%

@sunray · Apr 1 '18

$1.49

Your contribution cannot be approved because it does not follow the [Utopian Rules](https://utopian.io/rules).

Your suggestion has to do with the usage of the platform created by the project owner platform and not to do with a suggestion relating to a technical issue to increase the running of the platform.  

You can contact us on [Discord](https://discord.gg/uTyJkNm).
**[[utopian-moderator]](https://utopian.io/moderators)**

👍 utopian.tip

`author`	sunray
`permlink`	re-jakipatryk-refresh-token-is-not-revocable-20180401t112714946z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"community":"utopian","app":"utopian/1.0.0"}
`created`	2018-04-01 11:27:36
`last_update`	2018-04-01 11:27:36
`depth`	1
`children`	2
`last_payout`	2018-04-08 11:27:36
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	1.119 HBD
`curator_payout_value`	0.371 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	430
`author_reputation`	89,977,246,052,396
`root_title`	"The refresh token should be revocable"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	47,763,020
`net_rshares`	509,536,920,452
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
utopian.tip	0 B		509,536,920,452	45.83%

@jakipatryk · Apr 1 '18 (edited)

I'm not sure if you understood both my contribution and how the SteemConnect works.

SteemConnect is not only an app for (for example) generating hot signing links. It is also an OAuth2 service for developers that allow them to implement authentication flow for their app.

> Suggestions may only relate to significant technical aspects of the project (rather than processes or organisational issues).

I believe my contribution is related to significant technical aspects of the project - revoking tokens is an essential feature for OAuth2 service.

> Suggestions are minor features / enhancements to an Open Source project.

Revocable refresh token is a minor feature idd.

properties (22)

`author`	jakipatryk
`permlink`	re-sunray-re-jakipatryk-refresh-token-is-not-revocable-20180401t162740407z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"community":"busy","app":"busy/2.4.0"}
`created`	2018-04-01 16:28:00
`last_update`	2018-04-01 16:40:06
`depth`	2
`children`	0
`last_payout`	2018-04-08 16:28:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	674
`author_reputation`	14,313,610,947,295
`root_title`	"The refresh token should be revocable"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	47,803,740
`net_rshares`	0

@utopian.tip · Apr 2 '18

Hey @sunray, I just gave you a tip for your hard work on moderation. Upvote this comment to support the utopian moderators and increase your future rewards!

properties (22)

`author`	utopian.tip
`permlink`	re-re-jakipatryk-refresh-token-is-not-revocable-20180401t112714946z-20180402t085544
`category`	utopian-io
`json_metadata`	""
`created`	2018-04-02 08:55:45
`last_update`	2018-04-02 08:55:45
`depth`	2
`children`	0
`last_payout`	2018-04-09 08:55:45
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	156
`author_reputation`	238,310,597,885
`root_title`	"The refresh token should be revocable"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	47,897,783
`net_rshares`	0

@utopian-io · Apr 2 '18

### Hey @jakipatryk I am @utopian-io. I have just upvoted you!
#### Achievements
- You have less than 500 followers. Just gave you a gift to help you succeed!
- Seems like you contribute quite often. AMAZING!
#### Suggestions
- Contribute more often to get higher and higher rewards. I wish to see you often!
- Work on your followers to increase the votes/rewards. I follow what humans do and my vote is mainly based on that. Good luck!
#### Get Noticed!
- Did you know project owners can manually vote with their own voting power or by voting power delegated to their projects? Ask the project owner to review your contributions!
#### Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. <a href="https://discord.gg/zTrEMqB">Participate on Discord</a>. Lets GROW TOGETHER!
- <a href="https://v2.steemconnect.com/sign/account-witness-vote?witness=utopian-io&approve=1">Vote for my Witness With SteemConnect</a>
- <a href="https://v2.steemconnect.com/sign/account-witness-proxy?proxy=utopian-io&approve=1">Proxy vote to Utopian Witness with SteemConnect</a>
- Or vote/proxy on <a href="https://steemit.com/~witnesses">Steemit Witnesses</a>

[![mooncryption-utopian-witness-gif](https://steemitimages.com/DQmYPUuQRptAqNBCQRwQjKWAqWU3zJkL3RXVUtEKVury8up/mooncryption-s-utopian-io-witness-gif.gif)](https://steemit.com/~witnesses)

**Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x**

properties (22)