Access token revocation implementation in OAuth 2

Question

I\'ve used OWIN OAuth 2 to implement my Authorization Server Provider. Now, I want to implement token revocation (when my client application wants to logout).
Can anybod

Answer 1

According to OAuth 20 RFC, refresh token is not used to revoke a token - refresh "access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner". Refresh token is used to increase the life-span of an access token or to renew the old access token with a new one that will expire later. That's usually used to prevent asking the user for his/her credentials once again. In order to revoke a token, the OAuth20 provider should expose such a WS/endpoint or some other mechanism.