api
auth_error
ai_generated
partial
OAuth2 错误:invalid_token_type_hint
OAuth2 error: invalid_token_type_hint
ID: api/oauth2-invalid-token-type-hint
80%修复率
84%置信度
1证据数
2024-01-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OAuth 2.0 RFC 7009 | active | — | — | — |
| Keycloak 23.0.0 | active | — | — | — |
| Auth0 (2024) | active | — | — | — |
| Okta 2024.01.0 | active | — | — | — |
根因分析
令牌撤销或内省请求中的令牌类型提示参数未被授权服务器识别,通常由于拼写错误或不支持的值。
English
The token type hint parameter in the token revocation or introspection request is not recognized by the authorization server, often due to a typo or unsupported value.
官方文档
https://tools.ietf.org/html/rfc7009#section-2.1解决方案
-
Ensure the token_type_hint parameter uses one of the standard values: 'access_token' or 'refresh_token'. Example: `POST /revoke HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\ntoken=abc123&token_type_hint=access_token`.
-
Check the authorization server's documentation for supported token type hints. For Keycloak, also try 'id_token' if using OpenID Connect.
-
If unsure, omit the token_type_hint parameter and let the server infer the type. Some servers (e.g., Auth0) support this gracefully.
无效尝试
常见但无效的做法:
-
60% 失败
Some servers require the hint for revocation; without it, the request may fail or return an error.
-
80% 失败
The server only recognizes standard token type hints; custom values are rejected.
-
70% 失败
OAuth2 token revocation endpoints typically expect application/x-www-form-urlencoded format, not JSON.