AnsweredAssumed Answered

Incorrect token_type_hint does not revoke a valid token

Question asked by CarterR on Mar 28, 2017
Latest reply on Apr 3, 2017 by Sascha Preibisch

When I pass a valid token and an incorrect, but valid token_type_hint into the 3431 OAuth V2 Token Revocation, it does not revoke the token.


Endpoint: /3431/auth/oauth/v2/token/revoke

Method: POST 

Parameters: token, token_type_hint

   - Valid token_type_hint parameters: refresh_token, access_token


If my token parameter is an access token, but my token_type_hint is "refresh_token", a 200 is returned, but neither the access token nor the refresh token is revoked. The same applies for the token being a refresh token and the token type being "access_token"


According to the RFC 7009 in Section 2.1 (RFC 7009 - OAuth 2.0 Token Revocation ), if the token can not be found with the token_type_hint, it will extend the search across all token types. From my understanding, even if an incorrect token_type_hint is passed in, the token should still be revoked.


Is this a defect in the policy?