Skip to content

fix: honour tokenEndpointAuthMethodsSupported in revokeToken()#5

Merged
ralflang merged 1 commit into
horde:FRAMEWORK_6_0from
jcdelepine:fix/revokeToken
Jun 15, 2026
Merged

fix: honour tokenEndpointAuthMethodsSupported in revokeToken()#5
ralflang merged 1 commit into
horde:FRAMEWORK_6_0from
jcdelepine:fix/revokeToken

Conversation

@jcdelepine

Copy link
Copy Markdown

Follows up on #4.

RFC 7009 §2.1 does not prescribe the client authentication method for the revocation endpoint. Providers that advertise client_secret_basic only will reject a request that sends credentials in the POST body.

Apply the same tokenEndpointAuthMethodsSupported check as tokenRequest(): use HTTP Basic when client_secret_basic is advertised exclusively, fall back to client_secret_post otherwise.

Adds two tests covering the Basic and mixed-methods cases.

Follows up on horde#4.

RFC 7009 §2.1 does not prescribe the client authentication method for
the revocation endpoint. Providers that advertise client_secret_basic
only will reject a request that sends credentials in the POST body.

Apply the same tokenEndpointAuthMethodsSupported check as tokenRequest():
use HTTP Basic when client_secret_basic is advertised exclusively,
fall back to client_secret_post otherwise.

Adds two tests covering the Basic and mixed-methods cases.
@ralflang

Copy link
Copy Markdown
Member

Thank you!

@ralflang
ralflang merged commit 404281f into horde:FRAMEWORK_6_0 Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants