Improves conformance to RFC 7009 (!4) · Merge requests · project / simple_oauth_revoke · GitLab

GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption, please take a look at our documentation.

Daniel Pfeiffer requested to merge rfc7009-conformance into 2.0.x Jan 15, 2024

The /oauth/revoke endpoint was falling short of RFC 7009 compliance in a few areas:

It only supports revocation of refresh tokens; requests to revoke an access token receive a successful response, but the access token is not revoked.
The client credentials are not being validated.

These changes address both of those issues.