Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot revoke OAuth2 RefreshToken without related Token #625

Closed
rooftopcellist opened this issue Jul 23, 2018 · 0 comments
Closed

Cannot revoke OAuth2 RefreshToken without related Token #625

rooftopcellist opened this issue Jul 23, 2018 · 0 comments

Comments

@rooftopcellist
Copy link

rooftopcellist commented Jul 23, 2018
edited
Loading

SUMMARY

Django-OAuth-Toolkit supports deleting a token, but does not cascade on delete for it's RefreshToken anymore as of DOT 1.1.2. This creates an issue when you try to revoke a RefreshToken that no longer has an associated AccessToken. This will cause a traceback at this line.

This could also potentially become an issue in reverse here, but is unlikely to be hit unless a user is manually deleting RefreshTokens.

Currently, users have no way to delete RefreshToken's as of DOT 1.1.2 given these circumstances, which is an issue because RefreshTokens can be used to issue a new AccessToken.

ENVIRONMENT
  • Django OAuth Toolkit version 1.1.2
  • Python version 2.7.5
STEPS TO REPRODUCE
  1. Create App
  2. Create AccessToken
  3. Revoke AccessToken using either method (api/o/revoke_token)
  4. Observe that the RefreshToken remains and the AccessToken is deleted.
    ^^ This all is as expected
  5. Revoke RefreshToken (we currently can't do this)
awx.main.models.oauth.DoesNotExist: OAuth2AccessToken matching query does not exist.

Related Issue from AWX: ansible/awx#2044
ryanpetrello added a commit to ryanpetrello/django-oauth-toolkit that referenced this issue Aug 6, 2018
@ryanpetrello
fix a bug in refresh token revocation
a4738ec 
fixes: jazzband#625
@ryanpetrello ryanpetrello mentioned this issue Aug 6, 2018
Closed
ryanpetrello added a commit to ryanpetrello/django-oauth-toolkit that referenced this issue Aug 6, 2018
@ryanpetrello
fix a bug in refresh token revocation
01d4a4e 
fixes: jazzband#625
@ryanpetrello ryanpetrello mentioned this issue Aug 6, 2018
Closed
ryanpetrello added a commit to ryanpetrello/django-oauth-toolkit that referenced this issue Aug 6, 2018
@ryanpetrello
fix a bug in refresh token revocation
fdceb89 
fixes: jazzband#625
ryanpetrello added a commit to ryanpetrello/django-oauth-toolkit that referenced this issue Aug 6, 2018
@ryanpetrello
fix a bug in refresh token revocation
a8cedc3 
fixes: jazzband#625
ryanpetrello added a commit to ansible/django-oauth-toolkit that referenced this issue Aug 6, 2018
@ryanpetrello
fix a bug in refresh token revocation
6a27e40 
fixes: jazzband#625
@rooftopcellist rooftopcellist mentioned this issue Aug 27, 2018
Merged
jleclanche pushed a commit that referenced this issue Oct 12, 2018
@ryanpetrello @jleclanche
Fix Refresh Token revocation when the access token does not exist
ef6767f 
Fixes #625
@jleclanche jleclanche mentioned this issue Oct 12, 2018
Merged
jleclanche pushed a commit that referenced this issue Oct 12, 2018
@ryanpetrello @jleclanche
Fix Refresh Token revocation when the access token does not exist
ece5f43 
Fixes #625

(cherry picked from commit ef6767f)
jleclanche pushed a commit that referenced this issue Oct 17, 2018
@ryanpetrello @jleclanche
Fix Refresh Token revocation when the access token does not exist
94ed734 
Fixes #625
jleclanche pushed a commit that referenced this issue Oct 17, 2018
@ryanpetrello @jleclanche
Fix Refresh Token revocation when the access token does not exist
5b51da7 
Fixes #625
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix a bug in refresh token revocation ryanpetrello/django-oauth-toolkit
1 participant
@rooftopcellist