07-14-2016 12:19
07-14-2016 12:19
How can I revoke an access token obtained through implicit grant flow?
The documentation states:
"The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon."
But with implicit grant flow you don't have the secret, by design.
Thanks,
- Rich
07-14-2016 13:04
07-14-2016 13:04
You use the client id and client secret in the Authorization header to revoke an access token.
You should only do this server side, as you should not put your client secret on devices you don't control.
07-15-2016 06:51 - edited 07-15-2016 06:53
07-15-2016 06:51 - edited 07-15-2016 06:53
So if I'm making an iOS app, I should be using implicit grant flow, correct? In that case, is there no way for the user to deauthorize directly from the app? I guess what I really want to do is to have the user be able to deauthorize the app if they choose.
07-15-2016 10:25
07-15-2016 10:25
Correct—your app should only revoke its own authorization via a server-to-server request.
People can also revoke access to apps they've authorized in their Fitbit settings.