Access Token Revocation not working in wso2 Api manager

Question

Description:

I'm generating a OAUTH2 password grant access token using the client ID and Client secret of my Service provider in wso2 API manager. The service provider is auto generated for the application from which I have subscribed my API in wso2 developer portal. Further I'm able to access my API using that access token. But when I'm trying to revoke the access token, I get HTTP 200 status and it show the revoked access token and revoked refresh token. But the Token is still working which should not happen. After revoking the token when using that token as header of my API call it should respond Invalid credentials.

command I'm using to generate my access token:

curl -u Client-Id:Client-Secret -k -d "grant_type=password&username=user&password=userpassword" -H "Content-Type:application/x-www-form-urlencoded" https://my-domain:8243/token

NOTE: Here I replaced Client-Id, Client-Secret, user, userpassword, and my-domain with the actual values.

OUTPUT:

{
"access_token": "access-token",
"refresh_token": "refresh-token",
"scope": "default",
"token_type": "Bearer",
"expires_in": 3600
}

I'm consuming my API through the wso2 developer portal by Try_Out option in APIs wso2 devportal.

Command to revoke access token:

curl -u Client-Id:Client-Secret -k -v -d "token=access-token" -H "Content-Type: application/x-www-form-urlencoded" https://my-domain:8243/revoke

NOTE: Here I replaced Client-Id, Client-Secret, access-token, and my-domain with the actual values.

OUTPUT:

*   Trying my-domian...
* TCP_NODELAY set
* Connected to my-domian (my-domian) port 8243 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=CA; L=Mountain View; O=WSO2; OU=WSO2; CN=localhost
*  start date: Oct 23 07:30:43 2019 GMT
*  expire date: Jan 25 07:30:43 2022 GMT
*  issuer: C=US; ST=CA; L=Mountain View; O=WSO2; OU=WSO2; CN=localhost
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'uovufrsBHEv8KTUVtVYpWLUuYz8a'
> POST /revoke HTTP/1.1
> Host: my-domian:8243
> Authorization: Basic base64(Client-Id:Client-Secret)
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 1417
> Expect: 100-continue
> < HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 
< X-Frame-Options: DENY
< RevokedRefreshToken: refresh-token
< Cache-Control: no-store
< X-Content-Type-Options: nosniff
< AuthorizedUser: admin@carbon.super
< Pragma: no-cache
< RevokedAccessToken: access-token
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html
< Date: Fri, 29 May 2020 17:30:08 GMT
< Transfer-Encoding: chunked
< 
* Connection #0 to host my-domian left intact

Here in Revoked access Token it show the correct token. But even after this, I'm able to access my API using this access token in wso2 developer portal using Try_Out option for API.

Can some someone please suggest what am I missing or doing wrong? And also if there is another way to revoke the access token such that after revoking access token is not valid anymore.

NOTE: I only made change in my deployment.toml file: I uncommented the [[apim.token.revocation]] block.