Layer7 API Management

Expand all | Collapse all

Incorrect token_type_hint does not revoke a valid token

Jump to Best Answer
  • 1.  Incorrect token_type_hint does not revoke a valid token

    Posted 03-28-2017 11:38 AM

    When I pass a valid token and an incorrect, but valid token_type_hint into the 3431 OAuth V2 Token Revocation, it does not revoke the token.

     

    Endpoint: /3431/auth/oauth/v2/token/revoke

    Method: POST 

    Parameters: token, token_type_hint

       - Valid token_type_hint parameters: refresh_token, access_token

     

    If my token parameter is an access token, but my token_type_hint is "refresh_token", a 200 is returned, but neither the access token nor the refresh token is revoked. The same applies for the token being a refresh token and the token type being "access_token"

     

    According to the RFC 7009 in Section 2.1 (RFC 7009 - OAuth 2.0 Token Revocation ), if the token can not be found with the token_type_hint, it will extend the search across all token types. From my understanding, even if an incorrect token_type_hint is passed in, the token should still be revoked.

     

    Is this a defect in the policy?

     

    Thanks,

    Carter



  • 2.  Re: Incorrect token_type_hint does not revoke a valid token

    Posted 03-29-2017 06:01 AM

    Hi Carter,

     

    you should be right, the token_type_hint should be ignored if the token delivers a correct value.

     

    The behavior you would see would point to a invalid token value and invalid token_type_hint value.

    Is it working properly when you leave the token_type_hint empty?

     

    Cheers,

    HD



  • 3.  Re: Incorrect token_type_hint does not revoke a valid token

    Posted 03-29-2017 09:24 AM

    Leaving the token_type_hint blank returns a 400.

    If the token_type_hint is a string that is not "refresh_token" or "access_token", it returns a 503.

     

    This error only occurs when the token_type_hint is opposite of the token type being passed in through the "token" parameter



  • 4.  Re: Incorrect token_type_hint does not revoke a valid token

    Posted 04-03-2017 05:23 AM

    You should address this on a Support Case, if this impacts your Business logic and you require clarification. 



  • 5.  Re: Incorrect token_type_hint does not revoke a valid token
    Best Answer

    Posted 04-03-2017 02:26 PM

    Hello Carter!

    In our implementation the token_type_hint is required to make the API more restrictive. A client should always know what its trying to revoke. Deleting the token but not knowing which type it is can cause clients to revoke the wrong one by accident.

    If you feel the implementation should be updated please create a support ticket for that.

    Regards,

    Sascha