feat(OIDC): support token revocation of V2 tokens (#6203)

This PR adds support for OAuth2 token revocation of V2 tokens. Unlike with V1 tokens, it's now possible to revoke a token not only from the authorized client / client which the token was issued to, but rather from all trusted clients (audience)
2025-08-12 07:47:32 +00:00 · 2023-07-17 14:33:37 +02:00
parent ecf9835cb8
commit e1b3cda98a
17 changed files with 689 additions and 102 deletions
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -265,12 +265,12 @@ func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	plainCode, err := o.decryptGrant(refreshToken)
+	plainToken, err := o.decryptGrant(refreshToken)
 	if err != nil {
 		return nil, err
 	}
-	if strings.HasPrefix(plainCode, command.IDPrefixV2) {
-		oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainCode)
+	if strings.HasPrefix(plainToken, command.IDPrefixV2) {
+		oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainToken)
 		if err != nil {
 			return nil, err
 		}
@@ -308,7 +308,25 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
 	return err
 }

-func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) *oidc.Error {
+func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) (err *oidc.Error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	if strings.HasPrefix(token, command.IDPrefixV2) {
+		err := o.command.RevokeOIDCSessionToken(ctx, token, clientID)
+		if err == nil {
+			return nil
+		}
+		if errors.IsPreconditionFailed(err) {
+			return oidc.ErrInvalidClient().WithDescription("token was not issued for this client")
+		}
+		return oidc.ErrServerError().WithParent(err)
+	}
+
+	return o.revokeTokenV1(ctx, token, userID, clientID)
+}
+
+func (o *OPStorage) revokeTokenV1(ctx context.Context, token, userID, clientID string) *oidc.Error {
 	refreshToken, err := o.repo.RefreshTokenByID(ctx, token, userID)
 	if err == nil {
 		if refreshToken.ClientID != clientID {
@@ -338,6 +356,17 @@ func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID str
 }

 func (o *OPStorage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error) {
+	plainToken, err := o.decryptGrant(token)
+	if err != nil {
+		return "", "", op.ErrInvalidRefreshToken
+	}
+	if strings.HasPrefix(plainToken, command.IDPrefixV2) {
+		oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainToken)
+		if err != nil {
+			return "", "", op.ErrInvalidRefreshToken
+		}
+		return oidcSession.UserID, oidcSession.OIDCRefreshTokenID(oidcSession.RefreshTokenID), nil
+	}
 	refreshToken, err := o.repo.RefreshTokenByToken(ctx, token)
 	if err != nil {
 		return "", "", op.ErrInvalidRefreshToken
--- a/internal/api/oidc/auth_request_integration_test.go
+++ b/internal/api/oidc/auth_request_integration_test.go
@@ -184,6 +184,196 @@ func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
 	require.Error(t, err)
 }

+func TestOPStorage_RevokeToken_access_token(t *testing.T) {
+	clientID := createClient(t)
+	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	require.NoError(t, err)
+	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
+	sessionID, sessionToken, startTime, changeTime := Tester.CreatePasskeySession(t, CTXLOGIN, User.GetUserId())
+	linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+		AuthRequestId: authRequestID,
+		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+			Session: &oidc_pb.Session{
+				SessionId:    sessionID,
+				SessionToken: sessionToken,
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	// code exchange
+	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+	tokens, err := exchangeTokens(t, clientID, code)
+	require.NoError(t, err)
+	assertTokens(t, tokens, true)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)
+
+	// revoke access token
+	err = rp.RevokeToken(provider, tokens.AccessToken, "access_token")
+	require.NoError(t, err)
+
+	// userinfo must fail
+	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	require.Error(t, err)
+
+	// refresh grant must still work
+	_, err = refreshTokens(t, clientID, tokens.RefreshToken)
+	require.NoError(t, err)
+
+	// revocation with the same access token must not fail (with or without hint)
+	err = rp.RevokeToken(provider, tokens.AccessToken, "access_token")
+	require.NoError(t, err)
+	err = rp.RevokeToken(provider, tokens.AccessToken, "")
+	require.NoError(t, err)
+}
+
+func TestOPStorage_RevokeToken_access_token_invalid_token_hint_type(t *testing.T) {
+	clientID := createClient(t)
+	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	require.NoError(t, err)
+	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
+	sessionID, sessionToken, startTime, changeTime := Tester.CreatePasskeySession(t, CTXLOGIN, User.GetUserId())
+	linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+		AuthRequestId: authRequestID,
+		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+			Session: &oidc_pb.Session{
+				SessionId:    sessionID,
+				SessionToken: sessionToken,
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	// code exchange
+	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+	tokens, err := exchangeTokens(t, clientID, code)
+	require.NoError(t, err)
+	assertTokens(t, tokens, true)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)
+
+	// revoke access token
+	err = rp.RevokeToken(provider, tokens.AccessToken, "refresh_token")
+	require.NoError(t, err)
+
+	// userinfo must fail
+	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	require.Error(t, err)
+
+	// refresh grant must still work
+	_, err = refreshTokens(t, clientID, tokens.RefreshToken)
+	require.NoError(t, err)
+}
+
+func TestOPStorage_RevokeToken_refresh_token(t *testing.T) {
+	clientID := createClient(t)
+	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	require.NoError(t, err)
+	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
+	sessionID, sessionToken, startTime, changeTime := Tester.CreatePasskeySession(t, CTXLOGIN, User.GetUserId())
+	linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+		AuthRequestId: authRequestID,
+		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+			Session: &oidc_pb.Session{
+				SessionId:    sessionID,
+				SessionToken: sessionToken,
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	// code exchange
+	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+	tokens, err := exchangeTokens(t, clientID, code)
+	require.NoError(t, err)
+	assertTokens(t, tokens, true)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)
+
+	// revoke refresh token -> invalidates also access token
+	err = rp.RevokeToken(provider, tokens.RefreshToken, "refresh_token")
+	require.NoError(t, err)
+
+	// userinfo must fail
+	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	require.Error(t, err)
+
+	// refresh must fail
+	_, err = refreshTokens(t, clientID, tokens.RefreshToken)
+	require.Error(t, err)
+
+	// revocation with the same refresh token must not fail (with or without hint)
+	err = rp.RevokeToken(provider, tokens.RefreshToken, "refresh_token")
+	require.NoError(t, err)
+	err = rp.RevokeToken(provider, tokens.RefreshToken, "")
+	require.NoError(t, err)
+}
+
+func TestOPStorage_RevokeToken_refresh_token_invalid_token_type_hint(t *testing.T) {
+	clientID := createClient(t)
+	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	require.NoError(t, err)
+	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
+	sessionID, sessionToken, startTime, changeTime := Tester.CreatePasskeySession(t, CTXLOGIN, User.GetUserId())
+	linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+		AuthRequestId: authRequestID,
+		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+			Session: &oidc_pb.Session{
+				SessionId:    sessionID,
+				SessionToken: sessionToken,
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	// code exchange
+	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+	tokens, err := exchangeTokens(t, clientID, code)
+	require.NoError(t, err)
+	assertTokens(t, tokens, true)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)
+
+	// revoke refresh token even with a wrong hint
+	err = rp.RevokeToken(provider, tokens.RefreshToken, "access_token")
+	require.NoError(t, err)
+
+	// userinfo must fail
+	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	require.Error(t, err)
+
+	// refresh must fail
+	_, err = refreshTokens(t, clientID, tokens.RefreshToken)
+	require.Error(t, err)
+}
+
+func TestOPStorage_RevokeToken_invalid_client(t *testing.T) {
+	clientID := createClient(t)
+	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
+	sessionID, sessionToken, startTime, changeTime := Tester.CreatePasskeySession(t, CTXLOGIN, User.GetUserId())
+	linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+		AuthRequestId: authRequestID,
+		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+			Session: &oidc_pb.Session{
+				SessionId:    sessionID,
+				SessionToken: sessionToken,
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	// code exchange
+	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+	tokens, err := exchangeTokens(t, clientID, code)
+	require.NoError(t, err)
+	assertTokens(t, tokens, true)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)
+
+	// simulate second client (not part of the audience) trying to revoke the token
+	otherClientID := createClient(t)
+	provider, err := Tester.CreateRelyingParty(otherClientID, redirectURI)
+	require.NoError(t, err)
+	err = rp.RevokeToken(provider, tokens.AccessToken, "")
+	require.Error(t, err)
+}
+
 func exchangeTokens(t testing.TB, clientID, code string) (*oidc.Tokens[*oidc.IDTokenClaims], error) {
 	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
 	require.NoError(t, err)