Layer7 API Gateway: Revoke endpoint in OTK returns a HTTP 200 on invalid token

search cancel

Layer7 API Gateway: Revoke endpoint in OTK returns a HTTP 200 on invalid token

book

Article ID: 191337

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

When there's a call to the revoke endpoint with an invalid/non-existent or expired token, it returns a 200 response as if it had successfully deleted the token. The expectation, in this case, is that a 400 status would be returned.

Environment

All supported versions of the API Gateway

All supported versions of the OTK

Resolution

The OAuth 2.0 specification for token revocation doesn't mandate to send a 400 if an invalid or an expired token is submitted for revocation.

Additional Information

https://tools.ietf.org/html/rfc7009#section-2.2

The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.

Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.

The content of the response body is ignored by the client as all necessary information is conveyed in the response code.

Feedback

thumb_up Yes

thumb_down No