Re: [Unity-idm-discuss] Oauth Token revocation

[Sander A. <sa....@fz...>]

Hi Krzysztof,

thanks a lot. Removing the logout:true has solved the issue.

Best regards,
Sander

On Sat, 2018-11-24 at 10:57 +0100, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 23.11.2018 o 14:04, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > We try to use the token revocation mechanism. If we user user_id,
> > we
> > get an error about missing client_id. "Invalid request; To access
> > the
> > token revocation endpoint a client_id must be provided". It seems
> > that
> > there is a mistake in the example from manual.
> > 
> > If we provide client_id, we get an error about missing token type:
> > "Invalid request; To access the token revocation endpoint a token
> > type
> > must be provided". Can you please add this necessary parameter in
> > the
> > manual?
> 
> Sure, thanks for info. This chapter was not updated after revocation
> of 
> refresh tokens was implemented. Updated version will be published
> soon 
> with 2.7.3, including the fix of the user_id mistake in example.
> 
> 
> > If we provide the token type, we end up in a invalid scope
> > error: " Retuning OAuth error response: invalid_scope: Invalid,
> > unknown
> > or
> > malformed scope; Insufficent scope to perform full logout." Do we
> > need
> > to enable the token revocation scope in unity explicit? How does
> > the
> > valid request looks like?
> > 
> > We request the scopes profile email and single-logout.
> > The parameters we send in revocation request:
> > 
> > r = requests.post(auth_server + "/oauth2/revoke",
> >          headers={ 'Content-Type': 'application/x-www-form-
> > urlencoded'},
> >          data={ 'token': auth_state['access_token'],
> >                 'client_id': CLIENT_ID,
> >                 'token_type_hint': 'access_token',
> >                 'token_type': 'Bearer',
> >                 'logout': 'true', }
> >      )
> > 
> > auth_state['access_token'] contains the bearer token and CLIENT_ID
> > the
> > client id.
> 
> Actually this part is covered in the manual correctly - but I
> understnd 
> that you gave up after coming over two mistakes :-)
> 
> Besides the standard token revocation, it is also possible to
> request 
> token's owner logout (disposal of the SSO session)together with
> token 
> revocation. To be able to perform this operation, the client must 
> request and obtain a special OAuth scope: +single-logout+. Having
> this 
> scope, token revocation can be used to logout the token owner
> by adding the following form parameter to the request: +logout=true+.
> 
> So either remove logout: true from your request or define and
> request 
> the single-logout OAuth scope - i.e. scope with exactly this name
> must 
> be bound to the access token.
> 
> Cheers,
> KB
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------