Invalidate Token API does not handle malformed and non-existent tokens correctly. It returns a 400 could not refresh the requested token if it can decode the refresh token and a 401 token malformed if the token document doesn't exist. The latter can happen in cases where we have already deleted the token document because the access token is expired/invalidated and the caller is not aware, or when we get a token that is malformed or not ours.
In all above cases we should be returning 200 with a body of
{
"invalidated_tokens":0,
"previously_invalidated_tokens":0,
"error_count":0
}
Invalidate Token API does not handle malformed and non-existent tokens correctly. It returns a
400 could not refresh the requested tokenif it can decode the refresh token and a401 token malformedif the token document doesn't exist. The latter can happen in cases where we have already deleted the token document because the access token is expired/invalidated and the caller is not aware, or when we get a token that is malformed or not ours.In all above cases we should be returning
200with a body of