Token Revocation Endpoint is not getting called in case of Public Client

[tapasbose]

Hello,
In my configuration, I have set clientAuthenticationMethod(ClientAuthenticationMethod.NONE), also I have

.tokenRevocationEndpoint(
    (OAuth2TokenRevocationEndpointConfigurer tokenRevocationEndpoint) -> tokenRevocationEndpoint
        .revocationResponseHandler((HttpServletRequest request, HttpServletResponse response, Authentication authentication) -> {
            // my logic

            response.setStatus(HttpStatus.OK.value());
        })
)

It seems neither revocationResponseHandler is called nor OAuth2TokenRevocationEndpointFilter.doFilterInternal.

They are called if I use clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).

I was wondering if it is a bug or token revocation cannot be done in case the client is Public.

Regards

[jgrandja]

As per Section 2.1 Revocation Request:

The client also includes its authentication credentials as described
in Section 2.3. of [RFC6749].

The (confidential) client MUST authenticate at the Token Revocation Endpoint. Public clients are not allowed.

[stefanocke]

@jgrandja

https://datatracker.ietf.org/doc/html/rfc7009#section-5 ("security considerations") says:

According to this specification, a client's request must contain a
valid client_id, in the case of a public client, or valid client
credentials, in the case of a confidential client.

So, token revocation is allowed for public clients.

[jgrandja]

@stefanocke I don't agree. It does not explicitly state that public clients are allowed.

Regardless, allowing public clients on the token revocation endpoint goes against the "secure by default" principle, which is not what this project wants to adhere to.

If you require unauthenticated access for clients to any of the endpoints, it's the applications responsibility to configure.

[stefanocke]

@jgrandja

Regardless, allowing public clients on the token revocation endpoint goes against the "secure by default" principle, which is not what this project wants to adhere to.
If you require unauthenticated access for clients to any of the endpoints, it's the applications responsibility to configure.

Okay, that's only fair and consistent with the approch in #1430

I don't agree. It does not explicitly state that public clients are allowed.

Please let my try to rephrase my somehow shortened statement.
I would say, the authorization server MAY support token revocation for public clients, but it does not have to.
Can you agree on this or would you even say the specification forbids it?

Since in this case, my intent to do so by a custom configuration would just be wrong...