2018-11-22 UTC
# sknebel I'm not really liking the revocation story yet. client token gets revoked at users token endpoint. users token endpoint tells auth endpoint that's happened, auth endpoint goes and posts individual revocation requests to all the sites? relatively short-lived tokens then make a lot of sense, should the auth endpoint be able to ask for those?