Here's where I'm coming from. This sounds like a privilege escalation attack waiting to happen. If you can get a list of tokens, you know what other applications the person is using. This is privileged information by itself, but it could also be used as a first step towards getting other OAuth tokens.
The uninstall use case makes sense. It might make more sense to make the user go through the web browser to revoke a token. But I don't really see a security problem with letting an application revoke its own token.
I'm also okay with giving access to metadata about the OAuth token used to make the request, and other tokens for the same consumer.
Checking for an existing active token is useful but also opens up privacy questions. Since you don't have a token yet, you'd make the request without signing it. This would allow you to impersonate various clients to find out if the user has a token for that client, simulating the effect of a full list of tokens.
How satisfied would you be if we published a collection of OAuth tokens that contained tokens for the current application only, and allowed you to delete the token currently in use?
Here's where I'm coming from. This sounds like a privilege escalation attack waiting to happen. If you can get a list of tokens, you know what other applications the person is using. This is privileged information by itself, but it could also be used as a first step towards getting other OAuth tokens.
The uninstall use case makes sense. It might make more sense to make the user go through the web browser to revoke a token. But I don't really see a security problem with letting an application revoke its own token.
I'm also okay with giving access to metadata about the OAuth token used to make the request, and other tokens for the same consumer.
Checking for an existing active token is useful but also opens up privacy questions. Since you don't have a token yet, you'd make the request without signing it. This would allow you to impersonate various clients to find out if the user has a token for that client, simulating the effect of a full list of tokens.
How satisfied would you be if we published a collection of OAuth tokens that contained tokens for the current application only, and allowed you to delete the token currently in use?