Implement API for token revocation

Completed

Follow

David Beitey

• September 18, 2017 06:41

At present, tokens can be issued using ORCID's OAuth API but they can't be revoked except by a user manually going to their Account settings on the main orcid.org website (https://orcid.org/account). OAuth providers such as Google provide the ability for a token holder to revoke the token via an API. For example, see https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke One current suggested flow of an application simply deleting the token from its database is unsafe, as the token is still valid (for up to 20 years) and is at risk of being found/brute-forced and abused. The other suggested flow of instructing the user of how to log in to ORCID to revoke permissions works, but requires manual intervention from the user meaning there's a risk of the user accidentally removing other tokens. Finally, if revocation was needed en masse (such as an organisational database being compromised) there is currently no way forward with this short of emailing ORCID. A simple, Google-style API (eg a URL like https://orcid.org/oauth/revoke?token={token}) would suffice for this purpose and be extremely useful.

3

• 

  ORCID (APAC)

  • December 08, 2017 02:26

  Thanks again for your suggestion to improve the ORCID Registry. We have now implemented a token revocation process, allowing clients to revoke a pair of access and refresh tokens with a single call.

  Find documentation: https://members.orcid.org/api/oauth/revoke-tokens

  Warm regards,
  ORCID Community Team

  0

  Permalink

Please sign in to leave a comment.