Continuing the discussion from Changes for OAuth Access Token Requests:
What’s the story with OAuth token revocation? I cannot find any documented way to revoke previously issued OAuth tokens. It’s a serious security issue if tokens cannot be revoked. It pretty much defeats the purpose of using OAuth.
Also, RFC 6749 recommends that tokens be revoked if authorization code is used more than once. Please correct me if I’m wrong, but I don’t think SmartThings follows this recommendation.
4.1.2. Authorization Response
If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
10.5. Authorization Codes
If the authorization server observes multiple attempts to exchange an authorization code for an access token, the authorization server SHOULD attempt to revoke all access tokens already granted based on the compromised authorization code.