From dddc568580948d9c6dafc008dd51112b443539cd Mon Sep 17 00:00:00 2001
From: Sasa Rosic <4981860+srook@users.noreply.github.com>
Date: Mon, 4 Aug 2025 14:01:08 +0200
Subject: [PATCH] Support revocation with URL-encoded parameters

---
 .rubocop_gradual.lock      |  2 +-
 lib/oauth2/client.rb       |  6 +++---
 spec/oauth2/client_spec.rb | 27 ++++++++++++++++++++-------
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/.rubocop_gradual.lock b/.rubocop_gradual.lock
index 61e72160..e13c27da 100644
--- a/.rubocop_gradual.lock
+++ b/.rubocop_gradual.lock
@@ -37,7 +37,7 @@
     [69, 15, 38, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 1480816240],
     [79, 13, 23, "RSpec/ContextWording: Context description should match /^when\\b/, /^with\\b/, or /^without\\b/.", 2314399065]
   ],
-  "spec/oauth2/client_spec.rb:3334307042": [
+  "spec/oauth2/client_spec.rb:292714281": [
     [6, 1, 29, "RSpec/SpecFilePathFormat: Spec path should end with `o_auth2/client*_spec.rb`.", 439549885],
     [175, 7, 492, "RSpec/NoExpectationExample: No expectation found in this example.", 1272021224],
     [194, 7, 592, "RSpec/NoExpectationExample: No expectation found in this example.", 3428877205],
diff --git a/lib/oauth2/client.rb b/lib/oauth2/client.rb
index 41d97338..193e95c4 100644
--- a/lib/oauth2/client.rb
+++ b/lib/oauth2/client.rb
@@ -256,10 +256,10 @@ def get_token(params, access_token_opts = {}, extract_access_token = nil, &block
     # @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
     def revoke_token(token, token_type_hint = nil, params = {}, &block)
       params[:token_method] ||= :post_with_query_string
+      params[:token] = token
+      params[:token_type_hint] = token_type_hint if token_type_hint
+
       req_opts = params_to_req_opts(params)
-      req_opts[:params] ||= {}
-      req_opts[:params][:token] = token
-      req_opts[:params][:token_type_hint] = token_type_hint if token_type_hint
 
       request(http_method, revoke_url, req_opts, &block)
     end
diff --git a/spec/oauth2/client_spec.rb b/spec/oauth2/client_spec.rb
index 545e5259..31590250 100644
--- a/spec/oauth2/client_spec.rb
+++ b/spec/oauth2/client_spec.rb
@@ -1216,13 +1216,6 @@ def self.contains_token?(hash)
         }.not_to raise_error
       end
     end
-
-    def stubbed_client(params = {}, &stubs)
-      params = {site: "https://api.example.com"}.merge(params)
-      OAuth2::Client.new("abc", "def", params) do |builder|
-        builder.adapter :test, &stubs
-      end
-    end
   end
 
   describe "#revoke_token" do
@@ -1259,6 +1252,19 @@ def stubbed_client(params = {}, &stubs)
         }.not_to raise_error
       end
 
+      it "submits params in request body" do
+        client = stubbed_client do |stub|
+          stub.post("/oauth/revoke") do |req|
+            expect(req.body[:token]).to eq(token)
+            expect(req.params).to be_empty
+
+            [200, {"Content-Type" => "application/json"}, ""]
+          end
+        end
+
+        client.revoke_token(token, "access_token", token_method: :post)
+      end
+
       it "has status 200" do
         expect(instance.revoke_token(token, nil, extra: "param").status).to eq(200)
       end
@@ -1332,4 +1338,11 @@ def stubbed_client(params = {}, &stubs)
       expect(subject.inspect).to include("@secret=[FILTERED]")
     end
   end
+
+  def stubbed_client(params = {}, &stubs)
+    params = {site: "https://api.example.com"}.merge(params)
+    OAuth2::Client.new("abc", "def", params) do |builder|
+      builder.adapter :test, &stubs
+    end
+  end
 end