Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attempting to revoke an invalid token responds with an error #1362

Closed
JoshNorthrup opened this issue Feb 18, 2020 · 6 comments · Fixed by #1370
Closed

Attempting to revoke an invalid token responds with an error #1362

JoshNorthrup opened this issue Feb 18, 2020 · 6 comments · Fixed by #1370

Comments

@JoshNorthrup
Copy link
Contributor

Steps to reproduce

When making a properly formed revocation request (POST /oauth/revoke) with an invalid token, a 403 is returned. This seems to disagree with https://tools.ietf.org/html/rfc7009#section-2.2 which states

The authorization server responds with HTTP status code 200 if the
token has been revoked successfully or if the client submitted an
invalid token.

Expected behavior

Given a properly formed request with an invalid token, TokensController#revoke should respond with 200
@JoshNorthrup
Copy link
Contributor Author

@nbulaj Thoughts on this? I can put together a PR

@nbulaj
Copy link
Member

nbulaj commented Mar 5, 2020

Hi @JoshNorthrup . I thought we have a proper implementation. Don't we have a specs for it in tests? 🤔

If not - would be great to see a PR! Thanks!
P.S. Sorry, boo busy to review everything

@nbulaj
Copy link
Member

nbulaj commented Mar 5, 2020
edited
Loading

Ah, read this please: #1252

Or just 2.1. Revocation Request or original RFC 7009:

The client also includes its authentication credentials as described
in Section 2.3. of [RFC6749].
...
The authorization server first validates the client credentials (in
case of a confidential client) and then verifies whether the token
was issued to the client making the revocation request. If this
validation fails, the request is refused and the client is informed
of the error by the authorization server as described below.

So actually Doorkeeper works as expected:

  • authorized? checks if Applications is confidential or not (it's "in case of a confidential client" point from above)
    • if confidential - then it check's authorization and in case it's invalid - informs client with error as stated in RFC
    • if public - authoirzation bypassed
  • then Doorkeeper tries to revoke the token (calls revoke_token)
  • and renders 200 in any case (revoked or not)

@nbulaj
Copy link
Member

nbulaj commented Mar 5, 2020
edited
Loading

Hm, or actually current authorization must be changed and it must be more complex. Let me continue with this tomorrow with a fresh head...

nbulaj added a commit that referenced this issue Mar 6, 2020
@nbulaj
Fix token revocation endpoint
f217bcc 
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests
to conform with RFC 7009.
Fixes #1362.
@nbulaj nbulaj mentioned this issue Mar 6, 2020
Merged
@nbulaj
Copy link
Member

nbulaj commented Mar 6, 2020

Re-reviewed RFC and create a PR to fix the issue @JoshNorthrup , you could check #1370

nbulaj added a commit that referenced this issue Mar 6, 2020
@nbulaj
Fix token revocation endpoint
42e3740 
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests
to conform with RFC 7009.
Fixes #1362.
nbulaj added a commit that referenced this issue Mar 6, 2020
@nbulaj
Fix token revocation endpoint
a0a311a 
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests
to conform with RFC 7009.
Fixes #1362.
nbulaj added a commit that referenced this issue Mar 6, 2020
@nbulaj
Fix token revocation endpoint
d194bc4 
Fix token revocation endpoint behavior & response for invalid token and unauthorized requests
to conform with RFC 7009.
Fixes #1362.
@nbulaj
Copy link
Member

nbulaj commented Mar 6, 2020

Fixed, thanks @JoshNorthrup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix token revocation endpoint behavior to conform with RFC 7009 doorkeeper-gem/doorkeeper
2 participants
@nbulaj @JoshNorthrup