Combination of the default values of uaa.jwt.refresh.format (jwt) and uaa.jwt.revocable (false) results in spec-non-compliance

[peterhaochen47]

Based on OAuth spec, refresh tokens need to be individually revocable.

However, when we leave uaa.jwt.refresh.format (default = jwt) and uaa.jwt.revocable (default = false) to UAA-release's defaults, UAA is not compliant with this requirement.

Though it is okay to have non-spec-compliant config options for backward compatibility reason, the default UAA-release config should be spec-compliant. One solution is to set uaa.jwt.refresh.format's default to opaque. This would require a breaking change.

steps of reproduction

revoking individual refresh token does not work

uaac curl '/oauth/token/revoke/[JWT-REFRESH-TOKEN-ID]-r' -X DELETE -k

=> 404

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187154671

The labels on this github issue will be updated when the story is started.