Description
Describe the issue:
The revokeAccessToken method does not include the client_secret in the request body, which leads to a failure when revoking tokens for confidential clients that require client authentication.
This results in the following error being thrown during token revocation:
H {
message: { error_description: 'Client Authentication failed.', error: 'invalid_client' },
name:
'Invalid response status received for revoke access token request (Unauthorized).',
code: 'JS-AUTH_CORE-RAT3-HE03'
}
The SDK should support both public and confidential clients by appending the client_secret to the revocation request when it is configured.
How to reproduce:
-
Configure the SDK for a confidential client with client_id and client_secret.
-
Authenticate and obtain a valid session.
-
Attempt to revoke the access token using revokeAccessToken.
-
Observe the invalid_client error with Unauthorized status.
Expected behavior:
The revokeAccessToken method should append the client_secret to the request body when available in the config, enabling successful revocation for confidential clients.
Environment information
- OS: Linux
- Browser: Chrome
- SDK Version: 5.1.1