Adjust PAIA auth logout to RFC 7009 Token Revocation

[nichtich]

RFC 7009 defines a standard method for OAuth 2.0 token revocation. To align PAIA auth logout with this RFC 7009 it should become a Token Revoking Endpoint:

• [x] Use content type application/x-www-form-urlencoded
• [ ] Require additional request parameter token
• [x] Support an optional request parameter token_type_hint (can be ignored)

RFC 7009 does not forbid response body, such as the current JSON object with patron:

The content of the response body is ignored by the client as all necessary information is conveyed in the response code.

The current patron request field can be made optional and should be ignored: in fact logout does not logout a patron but a token.

For backwards-compatibility

• PAIA auth could make the token parameter optional (although this does not strictly conform to RFC 7009) and just use the access token as provided with request parameter access_token or HTTP request header Authorization.
• PAIA auth could also support JSON request in addition to application/x-www-form-urlencoded

  Example request

 POST /auth/logout HTTP/1.1
 Host: example.org
 Content-Type: application/x-www-form-urlencoded
 Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW

 token=czZCaGRSa3F0MzpnWDFmQmF0M2JW&token_type_hint=access_token

[nichtich]

The following changes are required in specification and implementation:

• [x] make response field "patron" optional
• [x] support an optional request parameter token_type_hint (can be ignored):w
• [ ] invalid token MUST NOT cause an error but HTTP 200 response - the goal of this method is to invalidate a token
• [ ] support request paramater "token" alternative to "patron"
• [ ] make clear that the response is optional (field patron is not required anyway)

[nichtich]

Does anyone use OAuth Token Revocation at all? Public identify providers have implemented it differently anyway:

• Twitter uses field access_token instead of token
• GitHub puts the access_token in the URL
• MediaWiki seems to lack token revocation
• ...

Valid implementations exist nevertheless and full conformance to RFC 7009 would be nice but I doubt the endpoint will actually be used.