When I pass a valid token and an incorrect, but valid token_type_hint into the 3431 OAuth V2 Token Revocation, it does not revoke the token.
Parameters: token, token_type_hint
- Valid token_type_hint parameters: refresh_token, access_token
If my token parameter is an access token, but my token_type_hint is "refresh_token", a 200 is returned, but neither the access token nor the refresh token is revoked. The same applies for the token being a refresh token and the token type being "access_token"
According to the RFC 7009 in Section 2.1 (RFC 7009 - OAuth 2.0 Token Revocation ), if the token can not be found with the token_type_hint, it will extend the search across all token types. From my understanding, even if an incorrect token_type_hint is passed in, the token should still be revoked.
Is this a defect in the policy?
you should be right, the token_type_hint should be ignored if the token delivers a correct value.
The behavior you would see would point to a invalid token value and invalid token_type_hint value.
Is it working properly when you leave the token_type_hint empty?
Leaving the token_type_hint blank returns a 400.
If the token_type_hint is a string that is not "refresh_token" or "access_token", it returns a 503.
This error only occurs when the token_type_hint is opposite of the token type being passed in through the "token" parameter
You should address this on a Support Case, if this impacts your Business logic and you require clarification.
In our implementation the token_type_hint is required to make the API more restrictive. A client should always know what its trying to revoke. Deleting the token but not knowing which type it is can cause clients to revoke the wrong one by accident.
If you feel the implementation should be updated please create a support ticket for that.