When I pass a valid token and an incorrect, but valid token_type_hint into the 3431 OAuth V2 Token Revocation, it does not revoke the token.
Parameters: token, token_type_hint
- Valid token_type_hint parameters: refresh_token, access_token
If my token parameter is an access token, but my token_type_hint is "refresh_token", a 200 is returned, but neither the access token nor the refresh token is revoked. The same applies for the token being a refresh token and the token type being "access_token"
According to the RFC 7009 in Section 2.1 (RFC 7009 - OAuth 2.0 Token Revocation ), if the token can not be found with the token_type_hint, it will extend the search across all token types. From my understanding, even if an incorrect token_type_hint is passed in, the token should still be revoked.
Is this a defect in the policy?