Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

identity: support revocation_endpoint [rfc8414] #501

Closed
samcgarry opened this issue Feb 10, 2020 · 6 comments · Fixed by #595
Closed

identity: support revocation_endpoint [rfc8414] #501

samcgarry opened this issue Feb 10, 2020 · 6 comments · Fixed by #595
Assignees
@Lumexralph

Comments

@samcgarry
Copy link

Is your feature request related to a problem? Please describe.

Similar to issue #494, I have an instance of pomerium integrated to keycloak using OIDC. When I call the .pomerium/sign_out link I get a 400 error, "Bad Request: internal/identity: revoke not implemented by oidc.

Describe the solution you'd like

I'd like to be able to provide the user a method to sign out their user, but currently this means they will see a web error message. It also will not sign them out of their keycloak login.
Keycloak provides an end_session_endpoint in the /.well-known/openid-configuration, which will sign out the user, so it would be good if pomerium could callback into that endpoint to logout the user.

I'm not sure how the token revocation works with the other OIDC providers but being able to customise a callback would be useful. How does pomerium determine if the revoke option is available?
@desimone desimone mentioned this issue Feb 11, 2020
Closed
@desimone
Copy link
Contributor

desimone commented Feb 11, 2020
edited

@samcgarry thanks for bringing this up. I did a bit more research.

I think if the identity provider supports rfc8414, we can/should use the /.well-known/openid-configuration discovery document to autoconfigure revocation support. Can you provide an example output of keycloak's /.well-known/openid-configuration doc?

For example:

@desimone desimone changed the title Sign-out behaviour with OIDC providers identity: support revocation_endpoint [rfc8414] Feb 11, 2020
@desimone
Copy link
Contributor

\cc @travisgroth thoughts?

@samcgarry
Copy link
Author

@desimone
Here's a sample of the keycloak doc (I added newlines to make it easier to read):

{
"issuer":"https://keycloak.example.com/auth/realms/test",
"authorization_endpoint":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/auth",
"token_endpoint":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/token",
"token_introspection_endpoint":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/userinfo",
"end_session_endpoint":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/logout",
"jwks_uri":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/certs",
"check_session_iframe":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],
"subject_types_supported":["public","pairwise"],
"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],
"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],
"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],
"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],
"response_modes_supported":["query","fragment","form_post"],
"registration_endpoint":"https://keycloak.example.com/auth/realms/test/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],
"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512"],
"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],
"claims_parameter_supported":false,
"scopes_supported":["openid","phone","address","web-origins","offline_access","roles","microprofile-jwt","profile","email"],
"request_parameter_supported":true,"request_uri_parameter_supported":true,
"code_challenge_methods_supported":["plain","S256"],
"tls_client_certificate_bound_access_tokens":true,
"introspection_endpoint":"https://keycloak.example.com/auth/realms/test/protocol/openid-connect/token/introspect"
}

@desimone
Copy link
Contributor

desimone commented Feb 11, 2020
edited

@samcgarry I don't see a revocation endpoint key?

edit:

@samcgarry
Copy link
Author

I guess I was thinking about the end_session_endpoint, but as I mentioned in my initial post I'm not overly familiar with the OAuth2/OIDC protocol.

With my scenario, pomerium sits at the ingress point of my network, and passes authentication to keycloak for identifying users and this then generates a token with claims which is passed on according to the pomerium policy to the target endpoint. This means I can use groups to permit access to different services with a single sign on. The issue I was trying to address was how to provide a user with a method to sign out in a way that will drop the session for keycloak and pomerium.

I have a homepage of sorts which users can access which acts like a jumping off point for the other services, and I planned to have a logout link there which they could use to sign out of everything.

One issue I had was that the pomerium sign out link takes you to an error page, so it deletes the pomerium cookie, but the keycloak session persists so you can still access the services if you refresh the page as pomerium is able to authenticate with keycloak and then generate a new session.

I hope this makes sense - I'm trying to explain it from the scenario I am looking to configure, but the technical aspects of token revocations is something I've not delved into too deeply at this point.

@travisgroth
Copy link
Contributor

@desimone the rfc8414 revocation endpoint sounds pretty reasonable to support out of the box. If we don't find it in /.well-known/openid-configuration we can just skip the call. It looks like a very easy API.

@Lumexralph Lumexralph mentioned this issue Apr 8, 2020
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Lumexralph Lumexralph

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

identity/provider: implement generic revoke method
4 participants
@desimone @samcgarry @travisgroth @Lumexralph