Token revocation not following the OAuth 2.0 spec

[C-Collamar]

Hi! I'm trying to connect my password-grant client to my Passport-enabled server. For that, I use a client library that happens to strictly follow the 2.0 spec. Everything's doing well up until I try to revoke the access token. It seems it requires my authorization server to follow the standard on revoking tokens.

Does Passport have a way for dealing with this that I'm not aware of? I don't want to resort to monkey-patching the client or server for this as much as possible.

[driesvints]

We'll need a lot more info here. How are you revoking them? What's happening? What are you expecting to happen? Please share some code.

[C-Collamar]

To revoke a token according to the spec, the client must POST to the revocation endpoint an application/x-www-form-urlencoded-formatted body containing a token and an optional token_type_hint.

The client constructs the request by including the following parameters using the "application/x-www-form-urlencoded" format in the HTTP request entity-body:

token REQUIRED. The token that the client wants to get revoked.

token_type_hint OPTIONAL. A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two such values:

 * access_token: An access token as defined in [RFC6749],
  Section 1.4

 * refresh_token: A refresh token as defined in [RFC6749],
  Section 1.5

As far as I know, here's how the Passport API allows revoking of access tokens:

DELETE /oauth/tokens/{{access_token}}  HTTP/2
Host: server.example.com
Authorization: Bearer <token>

If it were spec-compliant which I was hoping for, it should look like this more or less:

POST /oauth/tokens HTTP/2
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <token>

token=<token>

[Sephster]

This spec isn't in oauth server yet but is on the cards. Device code grant first, then this

[driesvints]

Gonna markt this as a feature request then and wait for oauth2 server to implement it first. Thanks @Sephster!

[driesvints]

I'm guessing thephpleague/oauth2-server#995 implements this.

Closing this until OAuth2 has implemented support first.