I noticed that the revocation_endpoint wasn't an optional property of AuthorizationServiceConfigurationJson.

GitHub for example does have a revocation endpoint described here: https://docs.github.com/en/rest/reference/apps#delete-an-app-authorization

However that doesn't work the way that AppAuth expects.

The revoke token request in AppAuth is:

  performRevokeTokenRequest(
      configuration: AuthorizationServiceConfiguration,
      request: RevokeTokenRequest): Promise<boolean> {
    let revokeTokenResponse = this.requestor.xhr<boolean>({
      url: configuration.revocationEndpoint,
      method: 'POST',
      headers: {'Content-Type': 'application/x-www-form-urlencoded'},
      data: this.utils.stringify(request.toStringMap())
    });

    return revokeTokenResponse.then(response => {
      return true;
    });
  }

Which sends a POST request. But GitHub expects a DELETE request.

So perhaps not all providers have a proper revocation system? Maybe this is from an openid standard that not all services have abided by yet.

GitHubs token revocation endpoint is not strictly to the spec. Unfortunately this is very common.