revoke_token fails with 'ReferenceTokenStore is not supported in Identity'

[diellezag]

SDK version

11.0.0

Steps to reproduce

Call xero_client.revoke_token(token_set) with a valid token set containing a refresh token.

Expected behavior

Token is revoked, 200 response with empty body.

Actual behavior

Xero's identity server returns a 500 Internal Server Error:

{
  "title": "Internal Server Error",
  "status": 500,
  "detail": "ReferenceTokenStore is not supported in Identity"
}

Root cause

The revoke_token method in api_client.rb does not include token_type_hint in the POST body:

def revoke_token(token_set)
  token_set = token_set.with_indifferent_access
  data = {
    token: token_set[:refresh_token]
  }
  return token_request(data, '/revocation')
end

Without token_type_hint=refresh_token, Xero's identity server attempts to look up the opaque refresh token as a reference token, hits an unsupported code path, and returns a 500.

Suggested fix

Add token_type_hint to the revocation request data:

def revoke_token(token_set)
  token_set = token_set.with_indifferent_access
  data = {
    token: token_set[:refresh_token],
    token_type_hint: 'refresh_token'
  }
  return token_request(data, '/revocation')
end

This follows the OAuth 2.0 Token Revocation spec (RFC 7009) which recommends including token_type_hint so the server can optimize its token lookup.

Workaround

Call the revocation endpoint directly with token_type_hint:

uri = URI.parse("https://identity.xero.com/connect/revocation")
request = Net::HTTP::Post.new(uri)
request.basic_auth(ENV['XERO_CLIENT_ID'], ENV['XERO_CLIENT_SECRET'])
request.set_form_data("token" => refresh_token, "token_type_hint" => "refresh_token")
Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http| http.request(request) }

[github-actions]

PETOSS-911

[github-actions]

Thanks for raising an issue, a ticket has been created to track your request