revoke_token fails with 'ReferenceTokenStore is not supported in Identity' #360
Description
SDK version
11.0.0
Steps to reproduce
Call xero_client.revoke_token(token_set) with a valid token set containing a refresh token.
Expected behavior
Token is revoked, 200 response with empty body.
Actual behavior
Xero's identity server returns a 500 Internal Server Error:
{
"title": "Internal Server Error",
"status": 500,
"detail": "ReferenceTokenStore is not supported in Identity"
}Root cause
The revoke_token method in api_client.rb does not include token_type_hint in the POST body:
def revoke_token(token_set)
token_set = token_set.with_indifferent_access
data = {
token: token_set[:refresh_token]
}
return token_request(data, '/revocation')
endWithout token_type_hint=refresh_token, Xero's identity server attempts to look up the opaque refresh token as a reference token, hits an unsupported code path, and returns a 500.
Suggested fix
Add token_type_hint to the revocation request data:
def revoke_token(token_set)
token_set = token_set.with_indifferent_access
data = {
token: token_set[:refresh_token],
token_type_hint: 'refresh_token'
}
return token_request(data, '/revocation')
endThis follows the OAuth 2.0 Token Revocation spec (RFC 7009) which recommends including token_type_hint so the server can optimize its token lookup.
Workaround
Call the revocation endpoint directly with token_type_hint:
uri = URI.parse("https://identity.xero.com/connect/revocation")
request = Net::HTTP::Post.new(uri)
request.basic_auth(ENV['XERO_CLIENT_ID'], ENV['XERO_CLIENT_SECRET'])
request.set_form_data("token" => refresh_token, "token_type_hint" => "refresh_token")
Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http| http.request(request) }