/oauth/revoke must also remove cookie from the request

[mrioan]

When a request to /oauth/revoke is received, if access_token cookie is present in the request then it should also be removed from there.

[mraible]

Steps to reproduce:

1. Login using the following command:

   http -f POST  localhost:8080/oauth/token grant_type=password username=XXX password=XXX
   

2. This will set cookies as specified by the Set-Cookie header.

   Set-Cookie: access_token=eyJraWQiOiI3NzlGNExQTUtPS0xRUzk3Ulc5R1dRWjU4Iiwic3R0IjoiYWNjZXNzIiwiYWxnIjoiSFMyNTYifQ.eyJqdGkiOiIxNG16cHV3bk5Na3R2NTdhblljeHFPIiwiaWF0IjoxNDg3MDIxMjEzLCJpc3MiOiJodHRwczovL2FwaS5zdG9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy8xdTRzb3R1YUllbUQ1TW9MRXVIVFlvIiwic3ViIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hY2NvdW50cy8xZDg5dXI0b2tTU2pKZVFsMTc0ejFHIiwiZXhwIjoxNDg3MDIxMjQzLCJydGkiOiIxNG16cHJjaVNtUnZJRzFqYklsaEVLIn0.iIkC81Q23LVracXc6J0G_08bJ1ncvqSTH9lxXbIj3IY;path=/;HttpOnly
   Set-Cookie: refresh_token=eyJraWQiOiI3NzlGNExQTUtPS0xRUzk3Ulc5R1dRWjU4Iiwic3R0IjoicmVmcmVzaCIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiIxNG16cHJjaVNtUnZJRzFqYklsaEVLIiwiaWF0IjoxNDg3MDIxMjEzLCJpc3MiOiJodHRwczovL2FwaS5zdG9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy8xdTRzb3R1YUllbUQ1TW9MRXVIVFlvIiwic3ViIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hY2NvdW50cy8xZDg5dXI0b2tTU2pKZVFsMTc0ejFHIiwiZXhwIjoxNDkyMjA1MjEzfQ.WXECHJeEermzMTJbm8rOjAPQgJi6qNRMsUzNLr3AMns;path=/;HttpOnly
   

3. Logout by executing the following command, where the token value is the value from the refresh token you received above.

   http -f POST  localhost:8080/oauth/revoke token_type_hint=refresh_token token=eyJraWQiOiI3NzlGNExQTUtPS0xRUzk3Ulc5R1dRWjU4Iiwic3R0IjoicmVmcmVzaCIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiIxNG16cHJjaVNtUnZJRzFqYklsaEVLIiwiaWF0IjoxNDg3MDIxMjEzLCJpc3MiOiJodHRwczovL2FwaS5zdG9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy8xdTRzb3R1YUllbUQ1TW9MRXVIVFlvIiwic3ViIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hY2NvdW50cy8xZDg5dXI0b2tTU2pKZVFsMTc0ejFHIiwiZXhwIjoxNDkyMjA1MjEzfQ.WXECHJeEermzMTJbm8rOjAPQgJi6qNRMsUzNLr3AMns
   

Current behavior: A Set-Cookie header is returned, but only for JSESSIONID.
Expected behavior: Multiple Set-Cookie headers are returned, expiring the access and refresh tokens.

[edjiang]

These endpoints should NOT be setting or deleting cookies...

https://tools.ietf.org/html/rfc6749
https://tools.ietf.org/html/rfc7009

[lelkun-csgov]

I agree with the latest suggestion: when a request to /oauth/revoke is received and if access_token and refresh_token cookies are present in the request then both should wiped by the response.