We have the following question on the OTK Revoke Token Endpoint's implementation.
The token require the client to send the token_type_hint while the RFC 7009 foresees it as optional.
Is there any reason for this?
Release : 9.X, 10.X
Component : API GATEWAY
Sometimes, token string itself details about its type. Requirement for the token string is to be random enough from not being guessed, enough bits to strength the dependency operations. Basically, token string is opaque to the client, but not necessarily to the authz server.If the part of the token string is detailing about the token type, token_type_hint parameter may not be necessary, hence it could be optional.
At least, from OTK view, other than being JWT or MAC, it's not decidable by looking at the token string. By default, both access token and refresh token look similar from the string composition (GUIDs), hence it is always advisable to make a request with token_type_hint parameter.