TokenRevocation BadRequest invalid_client

[Condor2708]

Recent version Version 1.2.0 throws me Error 400: BadRequest invalid_client

[brockallen]

This might have been to the recent addition of the revocation of tokens. Do you use reference tokens?

[Condor2708]

Yes, I am using reference tokens

[brockallen]

Ok... I'll see if it makes sense to default to false and add a setting to enable this. Also, what IdP/OP are you using?

[Condor2708]

I am using IdentityServer3 (2.5.4)

[brockallen]

Ok, fixed on dev:

I changed the default for the token revocation at signout to false. You can enable it with revokeAccessTokenOnSignout on the settings. If the OP requires a secret, then there's now a client_secret property on the settings.

[brockallen]

1.2.1-beta.1 pushed to npm. please test and let me know. thanks.

[jochenkluger]

Hi,
I tested 1.2.1-beta.1 and the Default works as expected, setting revokeAccessTokenOnSignout:false explicitly also, but setting revokeAccessTokenOnSignout:true and adding client_secret:'****' does not change the result of my test - same behaviour as with revokeAccessTokenOnSignout:false. The reference token is still valid and IdentityServer does not output any log.

[jochenkluger]

Here the log output of IdentityServer for the test with revocation enabled.
I only checked the validity of the token in our database, I did not try to access a resource - if it is only disabled in IdentityServer memory, then there should be no problem.

2016-10-21 08:06:01 [Information] "End session request validation success"
"{
"SubjectId": "84356c76-a0e8-4673-8e22-8a15a648a494",
"Raw": {}
}"
2016-10-21 08:06:01 [Information] End end session request
2016-10-21 08:06:01 [Information] Redirecting to logout page
2016-10-21 08:06:01 [Information] Logout prompt for subject: "84356c76-a0e8-4673-8e22-8a15a648a494"
2016-10-21 08:06:01 [Information] EnableSignOutPrompt set to true, rendering logout prompt
2016-10-21 08:06:08 [Information] Logout endpoint submitted
2016-10-21 08:06:08 [Information] Logout requested for subject: "84356c76-a0e8-4673-8e22-8a15a648a494"
2016-10-21 08:06:08 [Information] Clearing cookies
2016-10-21 08:06:08 [Information] rendering logged out page
2016-10-21 08:06:08 [Information] End session callback requested

[brockallen]

Hmm, I tested this all locally and it was working. For me when I made changes, I was getting cached copies of my app.js -- could that be the case for you?

[jochenkluger]

Hi,
I looked at it again. I think there is an error on my side or else where.
When I start userManager.signoutRedirect(), I get redirected to the logout page of IdentityServer and I can end the session. But I don't get redirected back - EnablePostSignOutAutoRedirect is activated and the post_logout_redirect_uri is set in the userManager config. Also there is no link to get back. So I have to go back to the main app page manually, and no _userManager.signoutRedirectCallback is triggered. Is the revocation started there?

[jochenkluger]

Hi again,
tracking the calls in the browser showed, that the id_token_hint is not sent any more. Is there a configuration option to enable this again?

[brockallen]

If the UserManager has a user and an id_token it should be passed.

[jochenkluger]

Hi,
sorry for my late response, I didn't get noticed.
The UserManager gets the response from identity server and fetches information from the profile endpoint, so user and id_token should be present. Any hint where I could look for further details or a solution?

[brockallen]

That info is stored in sessionStore in the browser. Also check the HTTP traffic.

[jochenkluger]

Hi,
now I had the time to check this.
In the LocalStorage, there is the following entry:
{"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODIiLCJhdWQiOiJCMkNDQzcyNy1DQUI2LTQ0M0QtQjEwRi02NEQ2REQ4MUZDMkIiLCJleHAiOjE0Nzg1NDE5NjEsIm5iZiI6MTQ3ODUzODM2MSwibm9uY2UiOiI2YjliZjRmNjM5N2M0ZTJiODgyNTYzNDk0MjI0Y2FmZCIsImlhdCI6MTQ3ODUzODM2MSwiYXRfaGFzaCI6Il85U2tRS1o3NDJhbUZwS1Rfd2p6ZXciLCJzaWQiOiJlY2RhNTRlNDllODNhM2U3MTc0Mzc3ZWNkNjEzNDg1ZCIsInN1YiI6IjY4MDc4ZWU2LTllZWYtNDgzMi05NTJmLTNhOWMxMTcyNjRiYSIsImF1dGhfdGltZSI6MTQ3ODUzODM2MSwiaWRwIjoiaWRzcnYiLCJuYW1lIjoiRHIuIERpZXRlciBDYXJsc29uIiwiaWQiOiI2ODA3OGVlNi05ZWVmLTQ4MzItOTUyZi0zYTljMTE3MjY0YmEiLCJ1aWQiOiI2ODA3OGVlNi05ZWVmLTQ4MzItOTUyZi0zYTljMTE3MjY0YmEiLCJhbXIiOlsicGFzc3dvcmQiXX0.E8XHTdpZcscHYtoIzKee92iDHyvS88bdJs9t87pgKSwovYKrGlVnm0IttZItmN-eGScqqEK-Dgo-nF84ANj_jWmIOMyxSVvgZcCJcvfkiy1nb8n40ZGETuIvGf9KlXKSxpbEYOVpA0qmwK6gKrns8iJ7yTwU7MmG8Rn1PoKlylXmhjQwyJDJI-pXmVIuS-1uCBNYa3B3f16jBgdJEQUnULjuoo6wA3KUf8Exu2-8aYV6wvAAZUF6_jG9NL4J-fG2e-mJQAR3TrA-j9NPdJyLXskny-wh_KS2fZxOUG5rc_ICq8YIQXOqqtiHZzqFTdJd0Bct_6OoVYYEFRBDx_BtLQ","session_state":"jpzrJ_Y8L-yxswwhxfO4S_nngBXtTdVpxyEhYQRld1A.124bc2e37088314145518549bdf59c7c","access_token":"5943b4fea6b7dc659b5aa1d4c23838a4","token_type":"Bearer","scope":"FrontendApi openid profile","profile":{"sid":"ecda54e49e83a3e7174377ecd613485d","sub":"68078ee6-9eef-4832-952f-3a9c117264ba","auth_time":1478538361,"idp":"idsrv","name":"Testuser","id":"68078ee6-9eef-4832-952f-3a9c117264ba","uid":"68078ee6-9eef-4832-952f-3a9c117264ba","amr":["password"]},"expires_at":1478538664}

SessionStorage is empty.

Silent renew works fine, but when I want to log out, no id_token_hint is submitted.

This are the http calls:
endsession 302 :8080/vendor.js:38395 492 B 36 ms

logout?id=0a7356782d5ca33c2a77db7a8daa58dc 200 document http://localhost:8082/connect/endsession 3.2 KB 27 ms

styles.min.css 200 stylesheet logout?id=0a7356782d5ca33c2a77db7a8daa58dc:7 (from disk cache) 3 ms

scripts.2.5.0.js 200 script logout?id=0a7356782d5ca33c2a77db7a8daa58dc:45 (from disk cache) 3 ms

endsessioncallback?sid=ecda54e49e83a3e7174377ecd613485d 200 document scripts.2.5.0.js:4 910 B 30 ms

[brockallen]

Can you enable logging in IdentityServer and see if there's any info there? Also, it seems you're using localStorage (not sessionStorage) for the user -- this means you must have explicitly changed the default. If you're triggering signout from a different instance of the user manager and its settings then it might not know the user data and id_token to send for signout. Last idea -- can you getUser() right before you signout and check if there's an id_token on the user object?

[jochenkluger]

Hi,
I changed the setting to use sessionStorage and ensured that the same instance of the user manager is used. This made no difference.
But your idea with getUser() was the point. In the click event of my Logout Button, the user was removed before the signout redirect was called. Removing the removeUser() call reactivated the submission of the token hint.
Thank you!