Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Look into implementation/use of revocation-url #2

Closed
ackerleytng opened this issue Dec 7, 2020 · 2 comments · Fixed by #38
Closed

Look into implementation/use of revocation-url #2

ackerleytng opened this issue Dec 7, 2020 · 2 comments · Fixed by #38
Assignees
@p53
Labels
low low priority normal normal complexity
Projects
Gatekeeper
Milestone
1.2.1

Comments

@ackerleytng
Copy link

louketo seems to be calling the end_session_endpoint on keycloak, which is not the revocation endpoint, I believe? Keycloak seems to have an undocumented revocation endpoint at /revoke, according to keycloak/keycloak#6704.

If this is more of a logout endpoint than revocation endpoint, we should rename the config variable and improve docs.

Token revocation is defined by https://tools.ietf.org/html/rfc7009
@p53
Copy link

p53 commented Jan 15, 2021

when i check my keycloak and also on stackoverflow, keycloak endpoints were:

    "issuer": "http://localhost:8080/auth/realms/demo",
    "authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
    "token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
    "userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
    "end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
    "jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",

so there wasn't any explicit revocation endpoint
also according this issue louketo#662, keycloak 10.0.0 introduces new revocation endpoint, however you can set any revocation endpoint through option, we can set new keycloak revocation endpoint as default

@p53 p53 added easy easy complexity low low priority labels Jan 15, 2021
@p53 p53 added this to To do in Gatekeeper via automation Jan 16, 2021
@p53 p53 added this to the release 1.2.1 milestone Jan 20, 2021
@p53 p53 added normal normal complexity and removed easy easy complexity labels Jan 25, 2021
@p53
Copy link

p53 commented Jan 25, 2021

as per keycloak implementation keycloak/keycloak#6704, they support in token parameter only refresh tokens, as found loginHandler doesn't provide refresh token in cookies so if logging in via loginHandler we are unable to logout because we don't have refresh token (unless enabled store, didn't check if that's not buggy...)

@p53 p53 mentioned this issue Jan 25, 2021
Closed
@p53 p53 self-assigned this Jan 29, 2021
p53 pushed a commit that referenced this issue Feb 3, 2021
Fix revocation url #2 (#38)
4026f5c 
* Fix revocation url

* Add returning http error codes when revocation fails, Add tests for revocation url

* Move revocation url variable to where it is used
@p53 p53 linked a pull request Feb 3, 2021 that will close this issue
Fix revocation url #2 #38
Merged
2 tasks
@p53 p53 closed this as completed Feb 3, 2021
Gatekeeper automation moved this from To do to Done Feb 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@p53 p53

Labels
low low priority normal normal complexity
Projects
Gatekeeper
Done
Milestone
1.2.1
Development

Successfully merging a pull request may close this issue.

Fix revocation url #2 p53/louketo-proxy
2 participants
@ackerleytng @p53