I tried passing in an access token in the /introspect and /revoke endpoints and pass in the incorrect token_type_hint (refresh_token instead of access_token) and I get a 200 back and the token introspection info for /introspect.
Same thing happens when I pass in a refresh_token with token_type_hint=access_token.
Is this expected behavior or a bug?
If expected behavior why is this and what is the purpose of having the token_type_hint parameter.
token_type_hint OPTIONAL. A hint about the type of the token
submitted for introspection. The protected resource MAY pass this
parameter to help the authorization server to optimize the token
lookup. If the server is unable to locate the token using the
given hint, it MUST extend its search across all of its supported
token types. An authorization server MAY ignore this parameter,
particularly if it is able to detect the token type automatically.
Values for this field are defined in the OAuth Token Type Hints
registry defined in OAuth Token Revocation
It seems like Okta is simply ignoring this parameter if it is able to locate the right token based on the token value. I’m guessing the performance of this endpoint is boosted when you pass the right token_type_hint as the auth server will be able to quickly locate the right token.
As far as I understand, this is an expected behavior and not a bug.