Hi,
In RFC7009 - section 2.1
(https://tools.ietf.org/html/rfc7009#section-2.1), it is stated that:
The authorization server first validates the client credentials (in
case of a confidential client) and then verifies whether the token
was issued to the client making the revocation request. If this
validation fails, the request is refused and the client is informed
of the error by the authorization server as described below.
And then in section 2.2 (https://tools.ietf.org/html/rfc7009#section-2.2):
The authorization server responds with HTTP status code 200 if the
token has been revoked successfully or if the client submitted an
invalid token.
Returning an error in the first case (and not the standard 200 HTTP
status) would leak to another client that the token exists and is
actually valid. Even though scanning tokens is hard if implemented with
a sufficient entropy (timing attacks could probably help here),
shouldn't it be preferable on a security perspective to return an HTTP
200 code instead of an error?
Is there some historical discussion that I may have missed?
Regards,
--
Tangui
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
