Revoke Token : UserAuthorizer revokeAuthorization error #782
Assignees
Labels
priority: p3
Desirable enhancement or fix. May not be included in next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Comments
lesv
added
priority: p2
|
I'm not an expert in auth, but if I were to guess, I would suspect that the scope you are using isn't enough.
That said, when I look at the example for raw html revocation it doesn't seem to need any kind of auth token, other than the one you wish to stop. Which would suggest your addition of authorizer might not be required. |
|
Hello,
According to the documentation, a token must be transmitted.
https://developers.google.cn/identity/protocols/oauth2/web-server?hl=en#tokenrevoke
But that's not the problem. Contrary to what is described in the
documentation, the method UserAuthorizer.revokeAuthorization(String userId)
present in the lib is called as GET instead of POST
String revokeToken = (refreshToken != null) ? refreshToken : accessTokenValue;
GenericUrl revokeUrl = new GenericUrl(OAuth2Utils.TOKEN_REVOKE_URI);
revokeUrl.put("token", revokeToken);
HttpRequestFactory requestFactory =
transportFactory.create().createRequestFactory();
HttpRequest tokenRequest = requestFactory.*buildGetRequest*(revokeUrl);
tokenRequest.execute();
It's seems better with something like this:
String revokeToken = (refreshToken != null) ? refreshToken : accessTokenValue;
GenericData genericData = new GenericData();
genericData.put("token", revokeToken);
UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
HttpRequestFactory requestFactory =
transportFactory.create().createRequestFactory();
HttpRequest tokenRequest =
requestFactory.buildPostRequest(GenericUrl(OAuth2Utils.TOKEN_REVOKE_URI),
content);
tokenRequest.execute();
Regards.
Le mer. 3 nov. 2021 à 02:37, Les Vogel ***@***.***> a écrit :
… I'm not an expert in auth, but if I were to guess, I would suspect that
the scope you are using isn't enough.
- OpenID's discovery doc
<https://developers.google.com/identity/protocols/oauth2/openid-connect>
supports 3 scopes.
- Oauth2's says it also supports 3 scopes
<https://developers.google.com/identity/protocols/oauth2/scopes#oauth2>
That said, when I look at the example for raw html revocation
<https://developers.google.com/identity/protocols/oauth2/web-server#httprest_8>
it doesn't seem to need any kind of auth token, other than the one you wish
to stop. Which would suggest your addition of authorizer might not be
required.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#782 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOABMMABYEGH2OLV4XYWELTUKCG4JANCNFSM5HGG35JA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
Bruno Lachot
|
yoshi-automation
added
🚨
|
Will try to reproduce and update the status |
|
ETA Jun 27 |
TimurSadykov
added
priority: p3
|
dropping priority until repro confirmed |
|
Fixed in #979 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
UserAuthorizer.revokeAuthorization(String userId) method seems to contain an error
URL to revoke token is call with GET method instead POST :
HttpRequest tokenRequest = requestFactory.buildGetRequest(revokeUrl);
The service return an 404 error
Environment details
Code example
Stack trace
The text was updated successfully, but these errors were encountered: