The TokenService attempts to inform the caller whether a token invalidation was "created". "created":true is intended to imply that the token was previously valid but is now invalid. false indicates that token was already invalid.

However, this doesn't work, and the API already returns true.

https://github.com/elastic/elasticsearch/blob/v6.4.2/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java#L589-L600

There's 2 issues:

• The UpdateRequest never requests the source, so updateResponse.getGetResult() is always null.
• Even if we did, the GetResult is the updated source, not the original source, so invalidated will always be true (because we just set it).