-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attempting to revoke an invalid token responds with an error #1362
Comments
@nbulaj Thoughts on this? I can put together a PR |
Hi @JoshNorthrup . I thought we have a proper implementation. Don't we have a specs for it in tests? 🤔 If not - would be great to see a PR! Thanks! |
Ah, read this please: #1252 Or just 2.1. Revocation Request or original RFC 7009:
So actually Doorkeeper works as expected:
|
Hm, or actually current authorization must be changed and it must be more complex. Let me continue with this tomorrow with a fresh head... |
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests to conform with RFC 7009. Fixes #1362.
Re-reviewed RFC and create a PR to fix the issue @JoshNorthrup , you could check #1370 |
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests to conform with RFC 7009. Fixes #1362.
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests to conform with RFC 7009. Fixes #1362.
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests to conform with RFC 7009. Fixes #1362.
Fixed, thanks @JoshNorthrup |
Steps to reproduce
When making a properly formed revocation request (
POST /oauth/revoke
) with an invalid token, a 403 is returned. This seems to disagree with https://tools.ietf.org/html/rfc7009#section-2.2 which statesExpected behavior
Given a properly formed request with an invalid token,
TokensController#revoke
should respond with 200The text was updated successfully, but these errors were encountered: