Merge pull request #646 from amCap1712/revocation-error-verify

rfc7009: return error if client validation fails

authlib/oauth2/rfc7009/revocation.py

@@ -1,5 +1,5 @@
 from authlib.consts import default_json_headers
-from ..rfc6749 import TokenEndpoint
+from ..rfc6749 import TokenEndpoint, InvalidGrantError
 from ..rfc6749 import (
     InvalidRequestError,
     UnsupportedTokenTypeError,
@@ -29,8 +29,9 @@ def authenticate_token(self, request, client):
         """
         self.check_params(request, client)
         token = self.query_token(request.form['token'], request.form.get('token_type_hint'))
-        if token and token.check_client(client):
-            return token
+        if token and not token.check_client(client):
+            raise InvalidGrantError()
+        return token
 
     def check_params(self, request, client):
         if 'token' not in request.form:

tests/flask/test_oauth2/test_revocation_endpoint.py

@@ -120,3 +120,29 @@ def test_revoke_token_without_hint(self):
             'token': 'a1',
         }, headers=headers)
         self.assertEqual(rv.status_code, 200)
+
+    def test_revoke_token_bound_to_client(self):
+        self.prepare_data()
+        self.create_token()
+
+        client2 = Client(
+            user_id=1,
+            client_id='revoke-client-2',
+            client_secret='revoke-secret-2',
+        )
+        client2.set_client_metadata({
+            'scope': 'profile',
+            'redirect_uris': ['http://localhost/authorized'],
+        })
+        db.session.add(client2)
+        db.session.commit()
+
+        headers = self.create_basic_header(
+            'revoke-client-2', 'revoke-secret-2'
+        )
+        rv = self.client.post('/oauth/revoke', data={
+            'token': 'a1',
+        }, headers=headers)
+        self.assertEqual(rv.status_code, 400)
+        resp = json.loads(rv.data)
+        self.assertEqual(resp['error'], 'invalid_grant')