TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:27:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(OIDC): support token revocation of V2 tokens (#6203)

Browse Source 
This PR adds support for OAuth2 token revocation of V2 tokens.

Unlike with V1 tokens, it's now possible to revoke a token not only from the authorized client / client which the token was issued to, but rather from all trusted clients (audience)
This commit is contained in:
Livio Spring
2023-07-17 14:33:37 +02:00
committed by GitHub
parent ecf9835cb8
commit e1b3cda98a
17 changed files with 689 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
internal/api/oidc/auth_request.go
View File

@@ -265,12 +265,12 @@ func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
plainCode, err := o.decryptGrant(refreshToken)
plainToken, err := o.decryptGrant(refreshToken)
if err != nil {
return nil, err
}
if strings.HasPrefix(plainCode, command.IDPrefixV2) {
oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainCode)
if strings.HasPrefix(plainToken, command.IDPrefixV2) {
oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainToken)
if err != nil {
return nil, err
}
@@ -308,7 +308,25 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
return err
}
func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) *oidc.Error {
func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) (err *oidc.Error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
if strings.HasPrefix(token, command.IDPrefixV2) {
err := o.command.RevokeOIDCSessionToken(ctx, token, clientID)
if err == nil {
return nil
}
if errors.IsPreconditionFailed(err) {
return oidc.ErrInvalidClient().WithDescription("token was not issued for this client")
}
return oidc.ErrServerError().WithParent(err)
}
return o.revokeTokenV1(ctx, token, userID, clientID)
}
func (o *OPStorage) revokeTokenV1(ctx context.Context, token, userID, clientID string) *oidc.Error {
refreshToken, err := o.repo.RefreshTokenByID(ctx, token, userID)
if err == nil {
if refreshToken.ClientID != clientID {
@@ -338,6 +356,17 @@ func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID str
}
func (o *OPStorage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error) {
plainToken, err := o.decryptGrant(token)
if err != nil {
return "", "", op.ErrInvalidRefreshToken
}
if strings.HasPrefix(plainToken, command.IDPrefixV2) {
oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainToken)
if err != nil {
return "", "", op.ErrInvalidRefreshToken
}
return oidcSession.UserID, oidcSession.OIDCRefreshTokenID(oidcSession.RefreshTokenID), nil
}
refreshToken, err := o.repo.RefreshTokenByToken(ctx, token)
if err != nil {
return "", "", op.ErrInvalidRefreshToken