Layer7 API Gateway: Revoke endpoint in OTK returns a HTTP 200 on invalid token
Article ID: 191337
Updated On:
Products
CA API Gateway
API SECURITY
CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7)
CA API Gateway Enterprise Service Manager (Layer 7)
STARTER PACK-7
CA Microgateway
Issue/Introduction
When we call the revoke endpoint with a invalid/non-existent or expired token we get a 200 response as if it had successfully deleted the token. The expectation, in this case, is that a 400 status would be returned.
Environment
Component: API GATEWAY
Release: 9.2 and above
Component: OTK (OAuth Tool Kit)
Release: 3.6 and above
Resolution
The OAuth 2.0 specification for token revocation doesn't mandate to send a 400 if an invalid or an expired token is submitted for revocation.
Additional Information
https://tools.ietf.org/html/rfc7009#section-2.2
The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.
Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.
The content of the response body is ignored by the client as all necessary information is conveyed in the response code.
The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.
Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.
The content of the response body is ignored by the client as all necessary information is conveyed in the response code.
Feedback
Yes
No
Powered by
