Menu
▾
▴
Re: [Unity-idm-discuss] Oauth Token revocation
|
From: Krzysztof B. <kb...@un...> - 2018-11-24 09:56:51
|
Hi,
W dniu 23.11.2018 o 14:04, Sander Apweiler pisze:
> Hi Krzysztof,
>
> We try to use the token revocation mechanism. If we user user_id, we
> get an error about missing client_id. "Invalid request; To access the
> token revocation endpoint a client_id must be provided". It seems that
> there is a mistake in the example from manual.
>
> If we provide client_id, we get an error about missing token type:
> "Invalid request; To access the token revocation endpoint a token type
> must be provided". Can you please add this necessary parameter in the
> manual?
Sure, thanks for info. This chapter was not updated after revocation of
refresh tokens was implemented. Updated version will be published soon
with 2.7.3, including the fix of the user_id mistake in example.
> If we provide the token type, we end up in a invalid scope
> error: " Retuning OAuth error response: invalid_scope: Invalid, unknown
> or
> malformed scope; Insufficent scope to perform full logout." Do we need
> to enable the token revocation scope in unity explicit? How does the
> valid request looks like?
>
> We request the scopes profile email and single-logout.
> The parameters we send in revocation request:
>
> r = requests.post(auth_server + "/oauth2/revoke",
> headers={ 'Content-Type': 'application/x-www-form-urlencoded'},
> data={ 'token': auth_state['access_token'],
> 'client_id': CLIENT_ID,
> 'token_type_hint': 'access_token',
> 'token_type': 'Bearer',
> 'logout': 'true', }
> )
>
> auth_state['access_token'] contains the bearer token and CLIENT_ID the
> client id.
Actually this part is covered in the manual correctly - but I understnd
that you gave up after coming over two mistakes :-)
Besides the standard token revocation, it is also possible to request
token's owner logout (disposal of the SSO session)together with token
revocation. To be able to perform this operation, the client must
request and obtain a special OAuth scope: +single-logout+. Having this
scope, token revocation can be used to logout the token owner
by adding the following form parameter to the request: +logout=true+.
So either remove logout: true from your request or define and request
the single-logout OAuth scope - i.e. scope with exactly this name must
be bound to the access token.
Cheers,
KB
|
