In my opinion the right behavior would be either:
1) Fail explicitly (DCHECK that tokens are loaded)
2) Or RevokeCredentials should internally wait for tokens to be loaded and then revoke the token.

I would be in favor of (2), since this function is already asynchronous.

CC blundell because this may be in scope for the identity service work.