After revoking an OAuth 2.0 access token you are still able to use the token to access an OAuth protected resource on the Gateway.
This is noticed when you have previously used a valid access token to access a protected resource, revoked it and tried again to access the same resource. When looking in OAuth manager you will notice the token has indeed been revoked.
This is typically caused by the Gateway caching the access token.
When using the 'OTK Require OAuth 2.0 Token' assertion you must specify a cache time. Once a token is revoked it will still remain valid for X number of seconds from the last attempt to access the resource. Decreasing this time will allow for quicker revocation. However, it should be noted that this can come at the expense of performance. If this value is too low, i.e: 1 second, it will result in additional traffic to the database for verifying the token.