Re-authenticating with the same client results in multiple entries on profile page.

[kosso]

Using my test PHP client script am I able to successfully authenticate and connect remotely to my Wordpress API.

But when I log out and then re-authenticate a few times, then visit my wp-admin Profile page, I see multiple entries for the same client with the (now fixed) revoke button.

I understand that they'll each have different token credentials, but this list is going to get pretty untidy, pretty quickly if users (wisely) log out of their client apps when not needed.

What's the best way to deal with this, if any?

[kosso]

Is there en endpoint for revoking the current Application's credentials as part of a log out process?

[kosso]

Or should the OAuth server detect that the client has been authorized before and update the tokens, rather than create a new entry?

Update: Sorry, Thinking this through: I suppose that would invalidate any other client apps running on other devices, which may use the same consumer identity.

Something's not quite right about the way it's doing things now though. Unless I'm missing something. Thx.

[joehoyle]

Hmm so I believe this is intentional, I've chatted to @rmccue about it before - basically we don't share the existing tokens, it's up to your client to save the tokens for later use in whichever way it sees fit (and secure!). I'll let @rmccue add the specific reasoning for that.