refresh_ token
Registry Context
`refresh_token` indicates that the token submitted for revocation is a refresh token.
Technical Summary
RFC 7009 Section 2.1 defines `refresh_token` as a `token_type_hint` value for a refresh token as defined by RFC 6749 Section 1.5. RFC 7009 also includes it in the OAuth Token Type Hints registry's initial contents.
When Used
When a client includes `token_type_hint=refresh_token` in an OAuth 2.0 token revocation request.
Normative Requirements
Clients
RFC 7009 - Section 2.1
pass the `token_type_hint` parameter to help the authorization server optimize token lookup.
Condition: when submitting a token revocation request
Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup.
Authorization servers
RFC 7009 - Section 2.1
extend its search across all supported token types.
Condition: if it is unable to locate the token using the given hint
If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types.
RFC 7009 - Section 2.1
invalidate all access tokens based on the same authorization grant.
Condition: if the revoked token is a refresh token and the authorization server supports access-token revocation
The authorization server SHOULD also invalidate all access tokens based on the same authorization grant.
RFC 7009 - Section 2.1
ignore the `token_type_hint` parameter.
Condition: particularly if it can detect the token type automatically
An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically.
Implementations
RFC 7009 - Section 2
support the revocation of refresh tokens.
Implementations MUST support the revocation of refresh tokens.
RFC 7009 - Section 2
support the revocation of access tokens.
Implementations [...] SHOULD support the revocation of access tokens.
Validation Guidance
Verify that the implementation supports revocation of refresh tokens.
Verify that omission of `token_type_hint` is accepted and that a supplied `refresh_token` hint is not required for successful refresh-token lookup.
Verify that an incorrect token type hint does not restrict lookup to the hinted type; the authorization server must search all supported token types if the hinted lookup fails.
Verify that revoking a refresh token also invalidates access tokens based on the same authorization grant when the authorization server supports access-token revocation.
Security Notes
RFC 7009 - Section 2
The revocation endpoint location should be obtained from a trustworthy source because the endpoint handles security credentials.
Reference
Details
- Entry Id
refresh_token - Hint Value
refresh_token - Change Controller
IETF- Reference
RFC7009