Skip to content

Improves conformance to RFC 7009

Daniel Pfeiffer requested to merge rfc7009-conformance into 2.0.x

The /oauth/revoke endpoint was falling short of RFC 7009 compliance in a few areas:

  1. It only supports revocation of refresh tokens; requests to revoke an access token receive a successful response, but the access token is not revoked.
  2. The client credentials are not being validated.

These changes address both of those issues.

Merge request reports

Loading