We can use token revocation endpoint to revoke our access and refresh tokens. But imagine a scenario where authenticated client wants to revoke token that is bounded to different client.
Shall authorization server revoke token? This situation clearly says that token is in unauthorized hands, but on the other hand it potentially could be used to destroy user exprience (if will be revoked).
So what typically authorization servers do? Is there any recommended way?
>Solution :
The RFC7009 section 2.1 is written as follows:
The authorization server first validates the client credentials (in
case of a confidential client) and then verifies whether the token
was issued to the client making the revocation request. If this
validation fails, the request is refused and the client is informed
of the error by the authorization server as described below.
If the authorization server (AS) fulfils with this specification, it should only revoke tokens issued to the authenticated client.
If the client is not authenticated or if the presented token is not for this client, the AS should left the token unchanged and thus the user experience is not degraded.