Token revokation does not conform to RFC 7009 in multiple respects, despite the documentation stating that it does.
Both implementation errors are critical and should not have passed review. It took quite long to find the root cause because you stated that you conform to the RFC.
------
First error: Only access tokens can be invalidated.
The first sentence of RFC 7009 (after the introduction section) is the following:
Implementations MUST support the revocation of refresh tokens and
SHOULD support the revocation of access tokens (see Implementation
Note).
And MUST is the first definition in RFC 2119, where it is defined as an absolute requirement.
Stating that you conform to RFC 7009 while ignoring it's first and absolute requirement is wrong on so many levels.
----
Second error: A 401 is returned when a refresh token is supplied.
The first sentence of Section 2.2 of RFC 7009 states the following:
The authorization server responds with HTTP status code 200 if the
token has been revoked successfully or if the client submitted an
invalid token.
Section 2.2.1 describes the only error that may be returned:
The error presentation conforms to the definition in Section 5.2 of
[RFC6749]. The following additional error code is defined for the
token revocation endpoint:
unsupported_token_type: The authorization server does not support
the revocation of the presented token type. That is, the
client tried to revoke an access token on a server not
supporting this feature.Since your endpoint returned a 401, I spent a lot of time checking my basic authentication, secrets etc.
Additionaly, your endpoint returns an error if expired access tokens are supplied, whereas the RFC explicitly states that that case should be a 200.
---
Please fix your implementation (it's broken by the RFCs definition) or stop stating that you conform to the RFC and instead document the endpoint properly (it isn't, though that would be fine if I could just read the RFC instead).
In addition to flagrantly violating the RFC, asking for only access tokens instead of refresh tokens creates a lot of overhead on both ends, useless HTTP traffic and additional client-side programming because expired access tokens need to be refreshed before a grant can be revoked.
Feel free to contact me if you require more information. I hope that you fix this and remove the note of RFC 7009 conformance until then.
Fitbit Developers oversee the SDK and API forums. We're here to answer questions about Fitbit developer tools, assist with projects, and make sure your voice is heard by the development team.
Best Answer