Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token revocation not following the OAuth 2.0 spec #1310

Closed
C-Collamar opened this issue Jun 30, 2020 · 5 comments
Closed

Token revocation not following the OAuth 2.0 spec #1310

C-Collamar opened this issue Jun 30, 2020 · 5 comments
Labels
enhancement

Comments

@C-Collamar
Copy link

Hi! I'm trying to connect my password-grant client to my Passport-enabled server. For that, I use a client library that happens to strictly follow the 2.0 spec. Everything's doing well up until I try to revoke the access token. It seems it requires my authorization server to follow the standard on revoking tokens.

Does Passport have a way for dealing with this that I'm not aware of? I don't want to resort to monkey-patching the client or server for this as much as possible.
@driesvints
Copy link
Member

We'll need a lot more info here. How are you revoking them? What's happening? What are you expecting to happen? Please share some code.

@C-Collamar
Copy link
Author

C-Collamar commented Jul 2, 2020
edited
Loading

To revoke a token according to the spec, the client must POST to the revocation endpoint an application/x-www-form-urlencoded-formatted body containing a token and an optional token_type_hint.

The client constructs the request by including the following parameters using the "application/x-www-form-urlencoded" format in the HTTP request entity-body:

token REQUIRED. The token that the client wants to get revoked.

token_type_hint OPTIONAL. A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two such values:

 * access_token: An access token as defined in [RFC6749],
  Section 1.4

 * refresh_token: A refresh token as defined in [RFC6749],
  Section 1.5

As far as I know, here's how the Passport API allows revoking of access tokens:

DELETE /oauth/tokens/{{access_token}}  HTTP/2
Host: server.example.com
Authorization: Bearer <token>

If it were spec-compliant which I was hoping for, it should look like this more or less:

POST /oauth/tokens HTTP/2
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <token>

token=<token>

@Sephster
Copy link
Contributor

Sephster commented Jul 2, 2020

This spec isn't in oauth server yet but is on the cards. Device code grant first, then this

@driesvints
Copy link
Member

Gonna markt this as a feature request then and wait for oauth2 server to implement it first. Thanks @Sephster!

@driesvints
Copy link
Member

I'm guessing thephpleague/oauth2-server#995 implements this.

Closing this until OAuth2 has implemented support first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@driesvints @Sephster @C-Collamar