New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoke Token : UserAuthorizer revokeAuthorization error #782
Comments
I'm not an expert in auth, but if I were to guess, I would suspect that the scope you are using isn't enough.
That said, when I look at the example for raw html revocation it doesn't seem to need any kind of auth token, other than the one you wish to stop. Which would suggest your addition of authorizer might not be required. |
Hello,
According to the documentation, a token must be transmitted.
https://developers.google.cn/identity/protocols/oauth2/web-server?hl=en#tokenrevoke
But that's not the problem. Contrary to what is described in the
documentation, the method UserAuthorizer.revokeAuthorization(String userId)
present in the lib is called as GET instead of POST
String revokeToken = (refreshToken != null) ? refreshToken : accessTokenValue;
GenericUrl revokeUrl = new GenericUrl(OAuth2Utils.TOKEN_REVOKE_URI);
revokeUrl.put("token", revokeToken);
HttpRequestFactory requestFactory =
transportFactory.create().createRequestFactory();
HttpRequest tokenRequest = requestFactory.*buildGetRequest*(revokeUrl);
tokenRequest.execute();
It's seems better with something like this:
String revokeToken = (refreshToken != null) ? refreshToken : accessTokenValue;
GenericData genericData = new GenericData();
genericData.put("token", revokeToken);
UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
HttpRequestFactory requestFactory =
transportFactory.create().createRequestFactory();
HttpRequest tokenRequest =
requestFactory.buildPostRequest(GenericUrl(OAuth2Utils.TOKEN_REVOKE_URI),
content);
tokenRequest.execute();
Regards.
Le mer. 3 nov. 2021 à 02:37, Les Vogel ***@***.***> a écrit :
… I'm not an expert in auth, but if I were to guess, I would suspect that
the scope you are using isn't enough.
- OpenID's discovery doc
<https://developers.google.com/identity/protocols/oauth2/openid-connect>
supports 3 scopes.
- Oauth2's says it also supports 3 scopes
<https://developers.google.com/identity/protocols/oauth2/scopes#oauth2>
That said, when I look at the example for raw html revocation
<https://developers.google.com/identity/protocols/oauth2/web-server#httprest_8>
it doesn't seem to need any kind of auth token, other than the one you wish
to stop. Which would suggest your addition of authorizer might not be
required.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#782 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOABMMABYEGH2OLV4XYWELTUKCG4JANCNFSM5HGG35JA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
Bruno Lachot
|
Will try to reproduce and update the status |
ETA Jun 27 |
dropping priority until repro confirmed |
Fixed in #979 |
Hello,
UserAuthorizer.revokeAuthorization(String userId) method seems to contain an error
URL to revoke token is call with GET method instead POST :
HttpRequest tokenRequest = requestFactory.buildGetRequest(revokeUrl);
The service return an 404 error
Environment details
Code example
Stack trace
The text was updated successfully, but these errors were encountered: