Description
The OAuth 2.0 Token Revocation spec states that when revoking a token, "the client also includes its authentication credentials as described in Section 2.3. of [RFC6749]".
The spec's example request for revocation looks like this:
POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
Note the HTTP Basic authentication, not Bearer. The spec goes on to say that the authorization server "first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below".
It appears as though Doorkeeper instead authorizes the request using HTTP Bearer with an access token, even though a code comment seems to imply otherwise.