Skip to content

Unknown token_type_hint should be ignored #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rozagerardo opened this issue Dec 7, 2020 · 1 comment
Closed

Unknown token_type_hint should be ignored #174

rozagerardo opened this issue Dec 7, 2020 · 1 comment
Assignees
@jgrandja
Labels
type: bug A general bug
Milestone
0.1.0

Comments

@rozagerardo
Copy link
Contributor

Describe the bug
IMO we're using the unsupported_token_type response wrongly. Currently, we're retrieving this error response if we pass a token_type_hint request parameter value different to access_token or refresh_token. As I understand the specs, the Authorization Server should just ignore the token_type_hint param if it doesn't match the token type:

If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically.

An invalid token type hint value is ignored by the authorization server and does not influence the revocation response.

Furthermore, the unsupported_token_type error response should be used only if the authorization server explicitly doesn't allow revoking a particular token type:

unsupported_token_type: The authorization server does not support the revocation of the presented token type. That is, the client tried to revoke an access token on a server not supporting this feature.

Also note that this is not really related to the token_type_hint parameter, for example, we could pass a refresh_token as token_type_hint request parameter, but find that the token actually corresponds to an access_token. At that point, if the server is configured not to revoke access_tokens, then it would retrieve the corresponding error response.

To Reproduce
Send a request as follows:

curl --location --request POST 'http://localhost:9000/oauth2/revoke' \
--header 'Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=<token>' \
--data-urlencode 'token_type_hint=whatever'

Server responds with 400 Bad Request:


{
    "error": "unsupported_token_type"
}

Expected behavior
Token should be revoked anyway, and the service should respond with 200 OK.
@rozagerardo rozagerardo added the type: bug A general bug label Dec 7, 2020
@rozagerardo rozagerardo mentioned this issue Dec 7, 2020
Closed
This was referenced Dec 8, 2020
Closed
Closed
@jgrandja jgrandja changed the title Difference with Token Revokation specs - misusing "unsupported_token_type" error response Unknown token_type_hint should be ignored Dec 8, 2020
@jgrandja jgrandja self-assigned this Dec 8, 2020
@jgrandja jgrandja added this to the 0.1.0 milestone Dec 8, 2020
@jgrandja
Copy link
Collaborator

jgrandja commented Dec 8, 2020

Thanks for the report @rozagerardo ! This is now fixed via 7f8aff7

@jgrandja jgrandja mentioned this issue Dec 8, 2020
Closed
doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023
@jgrandja
Ignore unknown token_type_hint
c4f6992 
Closes spring-projectsgh-174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: bug A general bug
Projects
None yet
Milestone
0.1.0
Development

No branches or pull requests
2 participants
@rozagerardo @jgrandja