New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

revoke requires Authorization in header #70

Closed
cribcutkiran opened this Issue Mar 10, 2018 · 11 comments

Comments

Projects
None yet
6 participants
@cribcutkiran

cribcutkiran commented Mar 10, 2018

According to the Oauth spec (https://tools.ietf.org/html/rfc7009), token revocation requires an Authentication header, but it is not being added:

return await fetch(revocationEndpoint, {

Using sendClientId=true, doesn't help since it is added to the body and not to the header. I have been unable to get revoke() to work with Okta, and I suspect this is why.

@jevakallio

This comment has been minimized.

Member

jevakallio commented Mar 12, 2018

Thanks for this issue. The team is a little busy this week. If you end up fixing this yourself, would ❤️ a PR!

@mraible

This comment has been minimized.

Contributor

mraible commented Mar 15, 2018

I can confirm that this is an issue.

@tgearig

This comment has been minimized.

tgearig commented Jun 26, 2018

Is there an update on this issue? It's still a problem. Is it slated to be addressed in the near future?

@kadikraman

This comment has been minimized.

Member

kadikraman commented Jun 27, 2018

What makes you think it's not working? Calling the /revoke endpoint returns a 200 OK.

I've just created an Okta dev account and tried this. I get 200 OK as a result from Okta, and the following in the Okta console:

screen shot 2018-06-27 at 10 33 13

Closing as I don't think it's an issue, but please reopen with steps to reproduce if you think it is.

@kadikraman kadikraman closed this Jun 27, 2018

@mraible

This comment has been minimized.

Contributor

mraible commented Sep 28, 2018

Is /revoke supposed to fully log you out of the IdP? If so, it's not working because when I go back to the app after logging out and click "Authorize" again, I'm not prompted to log in. I know this is how SSO is supposed to work, but I expected /revoke to cause it so I have to log in again.

@kadikraman

This comment has been minimized.

Member

kadikraman commented Oct 4, 2018

@mraible I guess you're referring to the credentials saved in the authentication session in the browser.

A workaround for this is to add

additionalParameters: {
  prompt: 'login'
}

to your config, which will always prompt the user to log in.

@mrsteveheyes

This comment has been minimized.

mrsteveheyes commented Oct 12, 2018

From my understanding, 'prompt' doesn't work with Android. Is there a solution for this? Because I can't currently have a sign out on my app as it always just signs you straight back in when authorise is called because a cookie is set in the browser.

@kadikraman

This comment has been minimized.

Member

kadikraman commented Oct 12, 2018

@mrsteveheyes It should work on Android. See this comment from AppAuth-Android that explains it in detail.

@mrsteveheyes

This comment has been minimized.

mrsteveheyes commented Oct 12, 2018

🤔 Hmmm. So here is my set up and what I'm expecting to happen?

• I have a RN Android app signing in via OAuth to a Rails app using Doorkeeper with Devise.
• I expect that when ever I call authorize in my RN Android app with prompt:'login' in the config (under additionalParameters) then it should always bring up a form form me to sign into.
• Currently it just brings up the CustomTab view, loads a game and then goes straight onto the screen it should be redirected to; thus logging me in.

I hope that makes sense.

@kadikraman

This comment has been minimized.

Member

kadikraman commented Oct 12, 2018

@mrsteveheyes under the hood, all we do is add it to the url params, i.e

<base_url>/authorize?<other_params>&prompt=login

And it's up to the authentication server to implement it. I'm not really familiar with your setup, so it's possible that your auth server has no implementation for it, since it's optional in the spec.

@mrsteveheyes

This comment has been minimized.

mrsteveheyes commented Oct 12, 2018

Great, thanks for outlining this. I'll check my setup, but I'm not sure it will do that. Maybe able to make it do that some how though...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment