Merge pull request #1507 from owncloud/oauth2-limitations

document limitations
owncloud · Jul 19, 2019 · 67a2b68 · 67a2b68
2 parents 111e327 + 3816a11
commit 67a2b68
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/modules/admin_manual/pages/configuration/server/security/oauth2.adoc b/modules/admin_manual/pages/configuration/server/security/oauth2.adoc
@@ -1,5 +1,7 @@
 = OAuth2
 :toc: right
+:shibboleth-app-url: https://marketplace.owncloud.com/apps/user_shibboleth
+:oauth2-user-auth-url: https://oauth.net/articles/authentication/
 
 == What is it?
 
@@ -176,7 +178,14 @@ To enable token-only based app or client logins in `config/config.php` set `toke
 
 == Limitations
 
-- Since the app handles no user passwords, only master key encryption works (similar to 
-https://marketplace.owncloud.com/apps/user_shibboleth[the Shibboleth app]).
+- Since the app does not handle user passwords, only master key encryption works (similar to {shibboleth-app-url}[the Shibboleth app]).
 - Clients cannot migrate accounts from Basic Authorization to OAuth2, if they are currently using the `user_ldap` backend.
+- It is not possible to explicitly end user sessions when using OAuth2. Have a read through {oauth2-user-auth-url}[User Authentication with OAuth 2.0] to find out more.
+
+== Further Reading
+
+* https://oauth.net/articles/authentication/[User Authentication with OAuth 2.0]
+* http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html[The problem with OAuth for Authentication.]
+* https://security.stackexchange.com/questions/81756/session-authentication-vs-token-authentication[Session Authentication vs Token Authentication]
+* https://tools.ietf.org/html/rfc7009[OAuth 2.0 Token Revocation]