fix: add client ownership validation for token revocation per RFC 7009

  - Add client_id to ParsedRefreshToken interface for validation
  - Enforce client ownership validation during token revocation
  - Return silent 200 responses for invalid tokens instead of errors
  - Handle decode errors gracefully per RFC 7009 section 2.2

Author: jasonraimondi

src/grants/abstract/abstract.grant.ts

@@ -42,6 +42,7 @@ export interface ParsedAccessToken extends JwtPayload {
 }
 export interface ITokenData extends ParsedAccessToken {}
 export interface ParsedRefreshToken extends JwtPayload {
+  client_id: string;
   access_token_id: string;
   refresh_token_id: string;
 }

src/grants/auth_code.grant.ts

@@ -314,26 +314,53 @@ export class AuthCodeGrant extends AbstractAuthorizedGrant {
   async respondToRevokeRequest(req: RequestInterface): Promise<ResponseInterface> {
     req.body["grant_type"] = this.identifier;
 
-    if (this.options.authenticateRevoke) await this.validateClient(req);
+    // Silently ignore - per RFC 7009, invalid tokens should not cause error responses
+    // @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2
+    const errorResponse = new OAuthResponse();
+
+    let authenticatedClient;
+    if (this.options.authenticateRevoke) {
+      try {
+        authenticatedClient = await this.validateClient(req);
+      } catch (err) {
+        this.options.logger?.log(err);
+        return errorResponse;
+      }
+    }
 
     const token = this.getRequestParameter("token", req);
 
     if (!token) {
-      throw OAuthException.invalidParameter("token", "Missing `token` parameter in request body");
+      return errorResponse;
     }
 
-    const parsedCode: unknown = this.jwt.decode(token);
+    let parsedCode: unknown;
+    try {
+      parsedCode = this.jwt.decode(token);
+    } catch (err) {
+      this.options.logger?.log(err);
+      return errorResponse;
+    }
 
     if (!this.isAuthCodePayload(parsedCode)) {
-      throw OAuthException.invalidParameter("token", "Token does not contain valid auth code payload");
+      return errorResponse;
+    }
+
+    if (this.options.authenticateRevoke && authenticatedClient && parsedCode) {
+      if (parsedCode.client_id !== authenticatedClient.id) {
+        this.options.logger?.log("Token client ID does not match authenticated client");
+        return errorResponse;
+      }
     }
 
     try {
       await this.authCodeRepository.revoke(parsedCode.auth_code_id);
-      return new OAuthResponse();
-    } catch (e) {
-      throw OAuthException.invalidParameter("token", "Error during token revocation");
+    } catch (err) {
+      this.options.logger?.log(err);
+      // Silently ignore - per RFC 7009, invalid tokens should not cause error responses
     }
+
+    return errorResponse;
   }
 
   private isAuthCodePayload(code: unknown): code is PayloadAuthCode {

src/grants/client_credentials.grant.ts

@@ -64,15 +64,53 @@ export class ClientCredentialsGrant extends AbstractGrant {
   async respondToRevokeRequest(req: RequestInterface): Promise<ResponseInterface> {
     req.body["grant_type"] = this.identifier;
 
-    if (this.options.authenticateRevoke) await this.validateClient(req);
+    // Silently ignore - per RFC 7009, invalid tokens should not cause error responses
+    // @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2
+    const errorResponse = new OAuthResponse();
+
+    let authenticatedClient;
+    if (this.options.authenticateRevoke) {
+      try {
+        authenticatedClient = await this.validateClient(req);
+      } catch (err) {
+        this.options.logger?.log(err);
+        return errorResponse;
+      }
+    }
 
-    let { oauthToken } = await this.tokenFromRequest(req);
+    let parsedToken;
+    let oauthToken;
+    try {
+      const tokenData = await this.tokenFromRequest(req);
+      parsedToken = tokenData.parsedToken;
+      oauthToken = tokenData.oauthToken;
+    } catch (err) {
+      this.options.logger?.log(err);
+      return errorResponse;
+    }
 
-    // Invalid tokens do not cause an error response since the client cannot handle such an error.
-    // @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2
-    if (oauthToken) await this.tokenRepository.revoke(oauthToken).catch();
+    if (this.options.authenticateRevoke && authenticatedClient && parsedToken) {
+      const tokenClientId = this.options.tokenCID === "id" ? authenticatedClient.id : authenticatedClient.name;
+
+      if (this.isAccessTokenPayload(parsedToken) && parsedToken.cid !== tokenClientId) {
+        this.options.logger?.log("Token client ID does not match authenticated client");
+        return errorResponse;
+      }
+
+      if (this.isRefreshTokenPayload(parsedToken) && parsedToken.client_id !== authenticatedClient.id) {
+        this.options.logger?.log("Token client ID does not match authenticated client");
+        return errorResponse;
+      }
+    }
+
+    try {
+      if (oauthToken) await this.tokenRepository.revoke(oauthToken);
+    } catch (err) {
+      this.options.logger?.log(err);
+      // Silently ignore - per RFC 7009, invalid tokens should not cause error responses
+    }
 
-    return new OAuthResponse();
+    return errorResponse;
   }
 
   private readonly revokeTokenTypeHintRegExp = /^(access_token|refresh_token|auth_code)$/;

test/e2e/authorization_server.spec.ts

@@ -525,7 +525,7 @@ describe("authorization_server", () => {
 
   describe("#revoke", () => {
     let client: OAuthClient = {
-      id: "1",
+      id: "16c11812-89da-4d68-9e9c-7715323e34f5",
       name: "test client",
       secret: "super-secret-secret",
       redirectUris: ["http://localhost"],
@@ -591,10 +591,12 @@ describe("authorization_server", () => {
         });
       });
 
-      it("throws when missing client id and secret", async () => {
+      it("returns 200 when missing client id and secret (silent failure per RFC 7009)", async () => {
         request.body = {};
 
-        await expect(authorizationServer.revoke(request)).rejects.toThrowError(/Check the `client_id` parameter/i);
+        const response = await authorizationServer.revoke(request);
+        expect(response.status).toBe(200);
+        expect(response.body).toEqual({});
       });
     });
 
@@ -607,12 +609,12 @@ describe("authorization_server", () => {
         });
       });
 
-      it("throws when missing token param", async () => {
+      it("returns 200 when missing token param (silent failure per RFC 7009)", async () => {
         request.body = { grant_type: "client_credentials" };
 
-        await expect(authorizationServer.revoke(request)).rejects.toThrowError(
-          /Missing `token` parameter in request body/i,
-        );
+        const response = await authorizationServer.revoke(request);
+        expect(response.status).toBe(200);
+        expect(response.body).toEqual({});
       });
 
       it("succeeds by access token", async () => {
@@ -686,12 +688,16 @@ describe("authorization_server", () => {
         };
         inMemoryDatabase.authCodes[authCode.code] = authCode;
 
+        const token = await testingJwtService.sign({
+          auth_code_id: authCode.code,
+          client_id: client.id
+        });
+
         request.body = {
-          token: await testingJwtService.sign({ auth_code_id: authCode.code }),
+          token,
           token_type_hint: "auth_code",
         };
         const response = await authorizationServer.revoke(request);
-
         expect(response.status).toBe(200);
         expect(inMemoryDatabase.authCodes[authCode.code].expiresAt).toEqual(new Date(0));
       });

test/e2e/grants/auth_code.grant.spec.ts

@@ -586,4 +586,134 @@ describe("authorization_code grant", () => {
       await expect(accessTokenResponse).rejects.toThrow(OAuthException);
     });
   });
+
+  describe("respond to revoke request", () => {
+    let authorizationRequest: AuthorizationRequest;
+    let authorizationCode: string;
+
+    beforeEach(async () => {
+      authorizationRequest = new AuthorizationRequest("authorization_code", client, "http://example.com");
+      authorizationRequest.isAuthorizationApproved = true;
+      authorizationRequest.codeChallengeMethod = "S256";
+      authorizationRequest.codeChallenge = codeChallenge;
+      authorizationRequest.user = user;
+      const redirectResponse = await grant.completeAuthorizationRequest(authorizationRequest);
+      const authorizeResponseQuery = new URLSearchParams(redirectResponse.headers.location.split("?")[1]);
+      authorizationCode = String(authorizeResponseQuery.get("code"));
+    });
+
+    it("successfully revokes valid auth code", async () => {
+      request = new OAuthRequest({
+        body: {
+          token: authorizationCode,
+        },
+      });
+
+      const response = await grant.respondToRevokeRequest(request);
+
+      expect(response.status).toBe(200);
+      expect(response.body).toEqual({});
+    });
+
+    it("returns 200 for invalid token (silent failure per RFC 7009)", async () => {
+      request = new OAuthRequest({
+        body: {
+          token: "invalid-token",
+        },
+      });
+
+      const response = await grant.respondToRevokeRequest(request);
+
+      expect(response.status).toBe(200);
+      expect(response.body).toEqual({});
+    });
+
+    it("returns 200 for missing token parameter (silent failure per RFC 7009)", async () => {
+      request = new OAuthRequest({
+        body: {},
+      });
+
+      const response = await grant.respondToRevokeRequest(request);
+
+      expect(response.status).toBe(200);
+      expect(response.body).toEqual({});
+    });
+
+    it("returns 200 for malformed JWT token (silent failure per RFC 7009)", async () => {
+      request = new OAuthRequest({
+        body: {
+          token: "not.a.jwt",
+        },
+      });
+
+      const response = await grant.respondToRevokeRequest(request);
+
+      expect(response.status).toBe(200);
+      expect(response.body).toEqual({});
+    });
+
+    describe("with client authentication", () => {
+      beforeEach(() => {
+        grant = createGrant({ authenticateRevoke: true });
+      });
+
+      it("successfully revokes when client owns the token", async () => {
+        client.secret = "secret123";
+        inMemoryDatabase.clients[client.id] = client;
+
+        request = new OAuthRequest({
+          headers: {
+            authorization: `Basic ${Buffer.from(`${client.id}:${client.secret}`).toString("base64")}`,
+          },
+          body: {
+            token: authorizationCode,
+          },
+        });
+
+        const response = await grant.respondToRevokeRequest(request);
+
+        expect(response.status).toBe(200);
+        expect(response.body).toEqual({});
+      });
+
+      it("returns 200 when client does not own the token (silent failure per RFC 7009)", async () => {
+        const otherClient = {
+          id: "other-client",
+          name: "other client",
+          secret: "other-secret",
+          redirectUris: ["http://example.com"],
+          allowedGrants: ["authorization_code"],
+          scopes: [],
+        };
+        inMemoryDatabase.clients[otherClient.id] = otherClient;
+
+        request = new OAuthRequest({
+          headers: {
+            authorization: `Basic ${Buffer.from(`${otherClient.id}:${otherClient.secret}`).toString("base64")}`,
+          },
+          body: {
+            token: authorizationCode,
+          },
+        });
+
+        const response = await grant.respondToRevokeRequest(request);
+
+        expect(response.status).toBe(200);
+        expect(response.body).toEqual({});
+      });
+
+      it("returns 200 when authentication required but not provided (silent failure)", async () => {
+        request = new OAuthRequest({
+          body: {
+            token: authorizationCode,
+          },
+        });
+
+        const response = await grant.respondToRevokeRequest(request);
+
+        expect(response.status).toBe(200);
+        expect(response.body).toEqual({});
+      });
+    });
+  });
 });