mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.

<div id="title">
	<div id="date">###DATE###</div>
	<div id="roomjid">###JID###</div>
	<div id="links">(join via <a class="component" href="xmpp:###JID###?join">client</a>)</div>
</div>
<div id="calendar">
	<div id="navigation">
		###PREVIOUS_LINK### <a class="nav" href="../">^</a>###NEXT_LINK###
	</div>
	###CALENDAR###
</div>
<div id="topic">###TITLE_STUFF###</div>
<br />
<input id="toggleUTC" type="checkbox" onclick="changeTimeDisplay()" /><label for="toggleUTC">show time in local time, rather than in UTC</label>
<div id="main">###DAY_STUFF###</div>