Skip to content

Commit

Permalink
MSC2918: soft logout in refresh token API
Browse files Browse the repository at this point in the history
  • Loading branch information
@sandhose
sandhose committed Jul 15, 2021
1 parent a050dc3 commit 2c11e6f
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions proposals/2918-refreshtokens.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ The `refresh_token` parameter can be invalid for two reasons:

In both cases, the server must reply with a `401` HTTP status code and an `M_UNKNOWN_TOKEN` error code.
This new use case of the `M_UNKNOWN_TOKEN` error code must be reflected in the spec.
As with other endpoints, the server can include an extra `soft_logout` parameter in the response to signify the client it should do a soft logout.

This new API should be rate-limited and does not require authentication since only the `refresh_token` parameter is needed.
Identity assertion via the `user_id` query parameter as defined by the Application Service API specification is disabled on this endpoint.
Expand Down

0 comments on commit 2c11e6f

Please sign in to comment.