Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revocation of refresh token also revokes client consent #12916

Closed
derkoe opened this issue Jul 5, 2022 · 8 comments
Closed

Revocation of refresh token also revokes client consent #12916

derkoe opened this issue Jul 5, 2022 · 8 comments
Assignees
@mposolda
Labels
area/oidc Indicates an issue on OIDC area kind/bug Categorizes a PR related to a bug
Milestone
20.0.0

Comments

@derkoe
Copy link
Contributor

derkoe commented Jul 5, 2022

Describe the bug

When an OpenID Connect client revokes a refresh token with /auth/realms/{realm}/protocol/openid-connect/revoke the user consent is also being revoked. The Keycloak documentation and the OAuth 2.0 docs do not mention such a behaviour.

Version

16.0.1

Expected behavior

The expected behaviour when revoking a refresh token is that this token (and all related access tokens) will be revoked.

Depending on the authorization server's revocation policy, the
revocation of a particular token may cause the revocation of related
tokens and the underlying authorization grant. If the particular
token is a refresh token and the authorization server supports the
revocation of access tokens, then the authorization server SHOULD
also invalidate all access tokens based on the same authorization
grant (see Implementation Note). If the token passed to the request
is an access token, the server MAY revoke the respective refresh
token as well.

https://datatracker.ietf.org/doc/html/rfc7009#section-2.1

Actual behavior

Keycloak does not only revoke the tokens it also revokes the client consent here:

keycloak/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java

Line 117 in 63614b1

revokeClient();

How to Reproduce?

  • Create a access/refresh token for an OpenID Connect client (with consent enabled)
  • Call the /auth/realms/{realm}/protocol/openid-connect/revoke endpoint with the refresh token
  • Now, the user consent for this application has been removed.

Anything else?

No response
@derkoe derkoe added kind/bug Categorizes a PR related to a bug status/triage labels Jul 5, 2022
@derkoe
Copy link
Contributor Author

derkoe commented Jul 5, 2022

This issues also exists with offline tokens.

@derkoe
Copy link
Contributor Author

derkoe commented Jul 5, 2022

The actual issue seems to be here:

keycloak/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java

Line 239 in 63614b1

session.users().revokeConsentForClient(realm, user.getId(), client.getId());

derkoe added a commit to derkoe/keycloak that referenced this issue Jul 13, 2022
@derkoe
Do not revoke client consent on token revocation
c091a9e 
Fixes keycloak#12916
@derkoe derkoe mentioned this issue Jul 13, 2022
Closed
@mposolda mposolda self-assigned this Jul 13, 2022
@mposolda mposolda added the area/oidc Indicates an issue on OIDC area label Jul 13, 2022
@mposolda
Copy link
Contributor

@derkoe The typical use-case for the token revocation is when the particular token is compromised. Hence the reason why there is also revocation of user consent, which is for the security reason. As you cited, specification mentions revocation of a particular token may cause the revocation of related tokens and the underlying authorization grant. and the user consent can be considered a part of the "authorization grant", so I don't see that Keycloak behaviour is incompatible with the specification.

What is exactly your actual use-case for calling token revocation? I wonder if it is an alternative for you to rather call "logout" instead of "token revocation" ? You can call either OIDC logout from the browser or with the logout token (OIDC backchannel logout) or you can call the logout endpoint with the refresh token as a parameter: https://github.com/keycloak/keycloak/blob/18.0.0/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L351

@derkoe
Copy link
Contributor Author

derkoe commented Jul 14, 2022

As you cited, specification mentions revocation of a particular token may cause the revocation of related tokens and the underlying authorization grant. and the user consent can be considered a part of the "authorization grant", so I don't see that Keycloak behaviour is incompatible with the specification.

All other identity providers we tried did not have this "feature" - maybe this should be put behind a configuration.

What is exactly your actual use-case for calling token revocation?

We like to logout from a native mobile application and we were not sure if the refresh token was also invalidated with that logout.

@mposolda
Copy link
Contributor

mposolda commented Jul 14, 2022
edited

As you cited, specification mentions revocation of a particular token may cause the revocation of related tokens and the underlying authorization grant. and the user consent can be considered a part of the "authorization grant", so I don't see that Keycloak behaviour is incompatible with the specification.

All other identity providers we tried did not have this "feature" - maybe this should be put behind a configuration.

What is exactly your actual use-case for calling token revocation?

We like to logout from a native mobile application and we were not sure if the refresh token was also invalidated with that logout.

Sure, it is. Logout will automatically invalidate refresh token and all the underlying access tokens as well as session. It won't be possible at all to refresh the token after the logout.

@mposolda
Copy link
Contributor

@derkoe Were you able to use the approach with the logout? Is it possible to close this issue?

derkoe added a commit to derkoe/keycloak-documentation that referenced this issue Aug 12, 2022
@derkoe
Add info about consent when revoking refresh tokens
8130a58 
See also keycloak/keycloak#12916
@derkoe derkoe mentioned this issue Aug 12, 2022
Merged
@derkoe
Copy link
Contributor Author

derkoe commented Aug 12, 2022

@mposolda yes we used the logout approach.

I think it would be good to put this in the docs: keycloak/keycloak-documentation#1664

@mposolda mposolda mentioned this issue Aug 23, 2022
Closed
@mposolda mposolda added this to the 20.0.0 milestone Aug 23, 2022
@mposolda mposolda changed the title Revokation of refresh token also revokes client consent Revocation of refresh token also revokes client consent Aug 23, 2022
@mposolda
Copy link
Contributor

@derkoe I've merged your documentation PR. Thanks for it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mposolda mposolda

Labels
area/oidc Indicates an issue on OIDC area kind/bug Categorizes a PR related to a bug
Projects
None yet
Milestone
20.0.0
Development

Successfully merging a pull request may close this issue.

Do not revoke client consent on token revocation derkoe/keycloak
2 participants
@derkoe @mposolda