Fix #119 non-compliant invalid token response for RFC7009.

authlib/oauth2/rfc7009/revocation.py

@@ -1,6 +1,8 @@
 from ..rfc6749 import TokenEndpoint
 from ..rfc6749 import (
-    OAuth2Error, InvalidRequestError, UnsupportedTokenTypeError
+    OAuth2Error,
+    InvalidRequestError,
+    UnsupportedTokenTypeError,
 )
 
 
@@ -37,8 +39,6 @@ def validate_endpoint_request(self):
             raise UnsupportedTokenTypeError()
         token = self.query_token(
             params['token'], token_type, self.request.client)
-        if not token:
-            raise InvalidRequestError()
         self.request.credential = token
 
     def create_endpoint_response(self):
@@ -62,12 +62,13 @@ def create_endpoint_response(self):
             # the revocation request
             self.validate_endpoint_request()
             # the authorization server invalidates the token
-            self.revoke_token(self.request.credential)
-            self.server.send_signal(
-                'after_revoke_token',
-                token=self.request.credential,
-                client=self.request.client,
-            )
+            if self.request.credential:
+                self.revoke_token(self.request.credential)
+                self.server.send_signal(
+                    'after_revoke_token',
+                    token=self.request.credential,
+                    client=self.request.client,
+                )
             status = 200
             body = {}
             headers = [

docs/changelog.rst

@@ -28,6 +28,7 @@ Small changes and bug fixes in this release:
 - Fixed error response for invalid/expired refresh token via :gh:`issue#112`.
 - Fixed error handle for invalid redirect uri via :gh:`issue#113`.
 - Fixed error response redirect to fragment via :gh:`issue#114`.
+- Fixed non-compliant responses from RFC7009 via :gh:`issue#119`.
 
 **Deprecate Changes**: find how to solve the deprecate issues via https://git.io/fjvpt
 

tests/flask/test_oauth2/test_token_revocation.py

@@ -76,8 +76,7 @@ def test_invalid_token(self):
         rv = self.client.post('/oauth/revoke', data={
             'token': 'invalid-token',
         }, headers=headers)
-        resp = json.loads(rv.data)
-        self.assertEqual(resp['error'], 'invalid_request')
+        self.assertEqual(rv.status_code, 200)
 
         rv = self.client.post('/oauth/revoke', data={
             'token': 'a1',
@@ -90,8 +89,7 @@ def test_invalid_token(self):
             'token': 'a1',
             'token_type_hint': 'refresh_token',
         }, headers=headers)
-        resp = json.loads(rv.data)
-        self.assertEqual(resp['error'], 'invalid_request')
+        self.assertEqual(rv.status_code, 200)
 
     def test_revoke_token_with_hint(self):
         self.prepare_data()
@@ -105,13 +103,6 @@ def test_revoke_token_with_hint(self):
         }, headers=headers)
         self.assertEqual(rv.status_code, 200)
 
-        rv = self.client.post('/oauth/revoke', data={
-            'token': 'a1',
-            'token_type_hint': 'access_token',
-        }, headers=headers)
-        resp = json.loads(rv.data)
-        self.assertEqual(resp['error'], 'invalid_request')
-
     def test_revoke_token_without_hint(self):
         self.prepare_data()
         self.create_token()