"The authorization server first validates the client credentials (in
case of a confidential client) and then verifies whether the token
was issued to the client making the revocation request. If this
validation fails, the request is refused and the client is informed
of the error by the authorization server as described below."
Accordingly, update the code to return an invalid_grant error if the token being revoked does not belong to client credentials supplied.
What kind of change does this PR introduce? (check at least one)
[X] Bugfix
[ ] Feature
[ ] Code style update
[ ] Refactor
[ ] Other, please describe:
[X] You consent that the copyright of your pull request source code belongs to Authlib's author.
Section 2 of RFC 7009 says:
"The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below."
Accordingly, update the code to return an invalid_grant error if the token being revoked does not belong to client credentials supplied.
What kind of change does this PR introduce? (check at least one)