I personally don’t agree with this errata. Token Revocation was never meant to
act as a protected resource, but rather as a function of the AS. The client is
known to the AS and so authentication is expected here.
— Justin
> On Aug 22, 2021, at 5:14 AM, RFC Errata System
> wrote:
>
> The following errata report has been submitted for RFC7009,
> "OAuth 2.0 Token Revocation".
>
> --
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid6663
>
> --
> Type: Technical
> Reported by: Ashvin Narayanan
>
> Section: 2.1
>
> Original Text
> -
> The client constructs the request by including the following
> parameters using the "application/x-www-form-urlencoded" format in
> the HTTP request entity-body:
>
> token REQUIRED. The token that the client wants to get revoked.
>
> token_type_hint OPTIONAL. A hint about the type of the token
> submitted for revocation. Clients MAY pass this parameter in
> order to help the authorization server to optimize the token
> lookup. If the server is unable to locate the token using
> the given hint, it MUST extend its search across all of its
> supported token types. An authorization server MAY ignore
> this parameter, particularly if it is able to detect the
> token type automatically. This specification defines two
> such values:
>
> * access_token: An access token as defined in [RFC6749],
> Section 1.4
>
> * refresh_token: A refresh token as defined in [RFC6749],
> Section 1.5
>
> Specific implementations, profiles, and extensions of this
> specification MAY define other values for this parameter
> using the registry defined in Section 4.1.2.
>
> The client also includes its authentication credentials as described
> in Section 2.3. of [RFC6749].
>
> For example, a client may request the revocation of a refresh token
> with the following request:
>
> POST /revoke HTTP/1.1
> Host: server.example.com
> Content-Type: application/x-www-form-urlencoded
> Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
>
> token=45ghiukldjahdnhzdauz_type_hint=refresh_token
>
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token
> was issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed
> of the error by the authorization server as described below.
>
> Corrected Text
> --
> The client calls the revocation endpoint using an HTTP
> POST [RFC7231] request with the following parameters sent as
> "application/x-www-form-urlencoded" data in the request body:
>
> token REQUIRED. The token that the client wants to get revoked.
>
> token_type_hint OPTIONAL. A hint about the type of the token
> submitted for revocation. Clients MAY pass this parameter in
> order to help the authorization server to optimize the token
> lookup. If the server is unable to locate the token using
> the given hint, it MUST extend its search across all of its
> supported token types. An authorization server MAY ignore
> this parameter, particularly if it is able to detect the
> token type automatically. This specification defines two
> such values:
>
> * access_token: An access token as defined in [RFC6749],
> Section 1.4
>
> * refresh_token: A refresh token as defined in [RFC6749],
> Section 1.5
>
> Specific implementations, profiles, and extensions of this
> specification MAY define other values for this parameter
> using the registry defined in Section 4.1.2.
>
> The client MUST also include in the request, the access token it received
> from the authorization server. It must do so in the same way as it would
> when accessing a protected resource, as describe in [RFC6749], Section 7.
>
> The following is a non-normative example request in which the client uses
> its access token to revoke the associated refresh token:
>
> POST /revoke HTTP/1.1
> Host: server.example.com
> Content-Type: application/x-www-form-urlencoded
> Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
>
> token=45ghiukldjahdnhzdauz_type_hint=refresh_token
>
> The following is a non-normative example request in which the client uses
> its access token to revoke the same access token:
>
> POST /revoke HTTP/1.1
> Host: server.example.com
> Content-Type: application/x-www-form-urlencoded
> Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
>
> token=czZCaGRSa3F0MzpnWDFmQmF0M2JW_type_hint=access_token
>
> The