Layer7 API Gateway: Revoke endpoint in OTK returns a HTTP 200 on invalid token
search cancel

Layer7 API Gateway: Revoke endpoint in OTK returns a HTTP 200 on invalid token

book

Article ID: 191337

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

When we call the revoke endpoint with a invalid/non-existent or expired token we get a 200 response as if it had successfully deleted the token. The expectation, in this case, is that a 400 status would be returned.

Environment

Component: API GATEWAY
Release: 9.2 and above

Component: OTK (OAuth Tool Kit)
Release: 3.6 and above

Resolution

The OAuth 2.0 specification for token revocation doesn't mandate to send a 400 if an invalid or an expired token is submitted for revocation.

Additional Information

https://tools.ietf.org/html/rfc7009#section-2.2

The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.

   Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way.  Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.

   The content of the response body is ignored by the client as all necessary information is conveyed in the response code.