Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: revoke token chain by consent challenge ID #3932

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

feat: revoke token chain by consent challenge ID #3932

wants to merge 10 commits into from

Conversation

alnr
Copy link
Contributor

@alnr alnr commented Jan 30, 2025
edited
Loading

This change adds the ability to revoke token chains by "consent challenge ID".

"Consent sessions"

Each time the user goes through a GET /oauth2/auth?response_type=code&... auth code flow, we persist a new "consent session" to the database.

This is independent of whether the user has previously logged in and/or granted consent, or whether the user was actively asked to grant consent by the consent app. A successful journey through the auth code flow results in a new "consent session".

This consent session is uniquely identified by its "consent challenge ID". This ID is obtained from the GET /admin/oauth2/auth/requests/consent?consent_challenge=... API. Note that it is not the same as the consent_challenge=... query parameter!

Any access and refresh tokens obtained from a token exchange following that particular user journey are bound to that consent session.

We call the totality of all refresh+access tokens derived from a particular consent session a "token chain".

Token revocation

Revoking an access token (AT) is simple: send the AT to /oauth2/revoke and it is revoked. If this AT was birthed from a refresh token (RT), the RT that birthed it is not revoked.

Revoking a refresh token (RT) also revokes assocated access tokens.

What if I want to revoke a complete token chain given only an access token?

Revocation by consent challenge ID

During an authorization code flow, save the consent challenge ID into the access token session data:

GET /admin/oauth2/auth/requests/consent?consent_challenge=abcdef

Response:

{
  "acr": ...,
  "challenge": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix" # <- this is the ID we need
  ...
}

Accept the consent request:

PUT /admin/oauth2/auth/requests/consent/accept?consent_challenge=abcdef
{
  "remember": true,
  "remember_for": 3600,
  "session": {
    "access_token": {
      "ccid": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix"
    }
  },
  ...
}

To revoke the token chain associated with this consent challenge ID, use

POST admin/oauth2/auth/sessions/consent?consent_challenge_id=G_TIM3XABG14UwIgDoT1DRfipjhC1uix

PR notes

The persistence code and much of the test code are pretty bad. We test implementation not behavior. There are wrong abstractions.

I have deleted sdk_test.go because honestly I can't see the point of that whole file.

@alnr alnr self-assigned this Jan 30, 2025
@alnr alnr requested review from aeneasr and a team as code owners January 30, 2025 16:41
@alnr alnr force-pushed the alnr/revoke-consent-by-id branch from af20e3f to fa2728b Compare January 30, 2025 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@alnr alnr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alnr