feat: token revocation and OP certification (#2594)

* fix: try using only user session if no user is set (id_token_hint) on prompt none * fix caos errors As implementation * implement request mode * return explicit error on invalid refresh token use * begin token revocation * token revocation * tests * tests * cleanup * set op config * add revocation endpoint to config * add revocation endpoint to config * migration version * error handling in token revocation * migration version * update oidc lib to 1.0.0
2025-08-11 19:07:30 +00:00 · 2021-11-03 08:35:24 +01:00
parent 8df5614e4d
commit fc6154cffc
25 changed files with 638 additions and 236 deletions
--- a/internal/command/user_test.go
+++ b/internal/command/user_test.go
@@ -1335,6 +1335,136 @@ func TestCommandSide_AddUserToken(t *testing.T) {
 	}
 }

+func TestCommands_RevokeAccessToken(t *testing.T) {
+	type fields struct {
+		eventstore *eventstore.Eventstore
+	}
+	type args struct {
+		ctx     context.Context
+		userID  string
+		orgID   string
+		tokenID string
+	}
+	type res struct {
+		want *domain.ObjectDetails
+		err  func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"id missing error",
+			fields{
+				eventstoreExpect(t),
+			},
+			args{
+				context.Background(),
+				"userID",
+				"orgID",
+				"",
+			},
+			res{
+				nil,
+				caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			"not active error",
+			fields{
+				eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							user.NewUserTokenAddedEvent(context.Background(),
+								&user.NewAggregate("userID", "orgID").Aggregate,
+								"tokenID",
+								"clientID",
+								"agentID",
+								"de",
+								"refreshTokenID",
+								[]string{"clientID"},
+								[]string{"openid"},
+								time.Now(),
+							),
+						),
+					),
+				),
+			},
+			args{
+				context.Background(),
+				"userID",
+				"orgID",
+				"tokenID",
+			},
+			res{
+				nil,
+				caos_errs.IsNotFound,
+			},
+		},
+		{
+			"active ok",
+			fields{
+				eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							user.NewUserTokenAddedEvent(context.Background(),
+								&user.NewAggregate("userID", "orgID").Aggregate,
+								"tokenID",
+								"clientID",
+								"agentID",
+								"de",
+								"refreshTokenID",
+								[]string{"clientID"},
+								[]string{"openid"},
+								time.Now().Add(5*time.Hour),
+							),
+						),
+					),
+					expectPush(
+						eventPusherToEvents(
+							user.NewUserTokenRemovedEvent(context.Background(),
+								&user.NewAggregate("userID", "orgID").Aggregate,
+								"tokenID",
+							),
+						),
+					),
+				),
+			},
+			args{
+				context.Background(),
+				"userID",
+				"orgID",
+				"tokenID",
+			},
+			res{
+				&domain.ObjectDetails{
+					ResourceOwner: "orgID",
+				},
+				nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore: tt.fields.eventstore,
+			}
+			got, err := c.RevokeAccessToken(tt.args.ctx, tt.args.userID, tt.args.orgID, tt.args.tokenID)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assert.Equal(t, tt.res.want, got)
+			}
+		})
+	}
+}
+
 func TestCommandSide_UserDomainClaimedSent(t *testing.T) {
 	type fields struct {
 		eventstore *eventstore.Eventstore