Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token revocation #45

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Conversation

ShawnCZek
Copy link
Contributor

@ShawnCZek ShawnCZek commented Dec 29, 2022

This is an implementation of the token revocation based on RFC7009.

Introduction

Revoking a token using the OAuth 2.0 Client is a bit more complex. This action is not a part of the traditional RFC6749 standard, and therefore, contributors of The League of Extraordinary Packages refused to provide any interface for it.
See thephpleague/oauth2-client#479 for more information.

As a result, we are left to implement the token revocation fully. This is, however, a considerable problem in many cases. We obviously cannot break the public API and cannot extend existing interfaces or abstractions. Moreover, the implementation of the base provider does not allow any reasonable abstraction for the token revocation due to everything being based on access tokens only.

This also raises the question of how to properly open the token revocation for an extension.

Implementation

Considering everything mentioned above, I have kept everything as simple as possible. When you compare my implementation to the access token methods, you will find the connection between them:

  • AbstractProvider::getBaseAccessTokenUrl() => Discord::getBaseRevokeTokenUrl()
  • AbstractProvider::getAccessTokenMethod() => Discord::getRevokeTokenMethod()
  • AbstractProvider::getAccessTokenRequest() => Discord::getRevokeTokenRequest()
  • AbstractProvider::getAccessToken() => Discord::revokeToken()

The method that the user is interested in, revokeToken(), has the same interface as getAccessToken(). This allows the user to specify any other parameter or override existing options.

I had the idea of creating methods such as revokeAccessToken() or revokeRefreshToken(). This would, however, not be correct according to RFC7009. This standard allows the developer to send any token, and the authorization server is supposed to deal with that in the best possible manner.

Undefined Behavior

Another concern of this whole pull request is the lack of documentation. Except for specifying the URL, the official documentation does not describe the token revocation in any way. This raises many questions as the standard has a few recommendations and is sometimes open for interpretation.

Revocation Request

Let's take a look at section 2.1. of RFC7009:

Depending on the authorization server's revocation policy, the
revocation of a particular token may cause the revocation of related
tokens and the underlying authorization grant. If the particular
token is a refresh token and the authorization server supports the
revocation of access tokens, then the authorization server SHOULD
also invalidate all access tokens based on the same authorization
grant (see Implementation Note). If the token passed to the request
is an access token, the server MAY revoke the respective refresh
token as well.

Refer to RFC2119 for the explanation of SHOULD and MAY keywords.

As of right now, sending either a refresh token or an access token invalidates the full authorization grant. This is now also documented in the official Discord documentation (see discord/discord-api-docs#6356 for more details).

Error Response

Error responses are unclear. Let me quote section 2.2.1. of RFC7009:

If the server responds with HTTP status code 503, the client must
assume the token still exists and may retry after a reasonable delay.
The server may include a "Retry-After" header in the response to
indicate how long the service is expected to be unavailable to the
requesting client.

This status code, however, is not discussed anywhere in the Discord documentation. As this rather seems to be a rare error and may occur in the OAuth2 authorization flow, too, I have left it unhandled. Or, well, it is currently handled by checkResponse().

Sources

When I was implementing this, I went through external sources (other libraries, guides, ...). These are my observations:

Consideration

I mentioned these sources for a reason. Token revocation seems to be an ignored topic in general. Therefore, this implementation is only based on information from the standard and my observations.

This can obviously become a problem. Things might change between versions without notice and cause issues for the users of this library. On the other hand, this must not be a reason why we should ignore this topic. Token revocation is extremely useful as it fully logs out the Discord user and deletes all data connected to the respective authorization grant (e.g., application metadata).


All in all, this pull request follows the contributing guidelines of this repository:

  • All linters have successfully validated my code
  • I have added tests covering all new code
  • I have documented this feature in README

This resolves #34.

@wohali
Copy link
Owner

wohali commented Jan 26, 2023

Hey @ShawnCZek , thanks for this and your extensive writeup.

Do you feel like taking a crack at a separate PR to replace Travis with GHA? I don't have the time right now and that'd be convenient. It'd make checking the functionality in this PR a bit easier, too.

I can then do a bit more detailed of a review other than my skimming of the code.

@ShawnCZek
Copy link
Contributor Author

I have noticed that the Travis integration is a bit iffy but did not pay too much attention to it 😅

Sure, I can take a look at migrating from Travis to GitHub Actions and will draw a new pull request for it by the end of this week.

This is based on the recent Discord documentation changes.
See discord/discord-api-docs#6356 for more details.
Using access token options from the option provider for revoke token options is
not reliable; there might be changes at any point, which would go unnoticed.

This also fixes errors when using the lowest supported version of the OAuth2
Client library.
@ShawnCZek
Copy link
Contributor Author

I have made a few changes to the documentation based on the recent development of the Discord documentation.

Moreover, I removed the dependency on the option provider, which was an incorrect assumption on my part. Please take a look at the commit message (c20fe19) for more details on why I did this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Revoke Token
2 participants