Public client token cannot be revoked

[kendi223]

The ClientSecretBasicAuthenticationConverter validates both the presence of the client ID and the client secret. Since public clients do not have a client secret, this causes an exception to be thrown, preventing token revocation.

[ashrawan]

we can let public clients revoke tokens by authenticating with their clientId using the “none” auth chain. On the server, we’d look up the token and revoke it only if its stored clientId matches. We’d then return HTTP 200 with an empty body, keeping the token state hidden.

[jgrandja]

This is related to gh-1522. Closing as a duplicate. Please see this comment for further context.