Sergey has the correct interpretation -- it's to prevent a class of oracle attacks. Think of it this way, if you go to revoke a token, and the token wasn't there in the first place, the end result is the same: the token's not there when you're done. So it's a 200 because the result is what you wanted even if the state going in was wrong.
-- Justin On May 24, 2013, at 6:07 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote: > Hi > On 23/05/13 21:57, Lewis Adam-CAL022 wrote: >> Hi, >> >> Section 2.2 (Revocation Response) of draft-ietf-oauth-revocation-09 states: >> >> The authorization server responds with HTTP status code 200 if the >> >> token has been revoked sucessfully or if the client submitted an >> >> invalid token. The content of the response body does not matter as >> >> all information is conveyed in the response code. >> >> Am I just missing it, or does the draft not define the response code(s)? >> >> Also, it seems a bit strange to return a 200 in response to an invalid >> token. 200 implies that the request has succeeded, which should not be >> the case in an error condition (invalid token). >> > As far as I recall it was done to prevent the rogue clients from figuring out > where did they fail; I asked was it something that now should apply to other > similar cases, but did not get any feedback. > > Cheers, Sergey > >> Also (small typo) … there should be two c’s in successfully. >> >> adam >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
