Skip to content

Token Revocation Endpoint is not getting called in case of Public Client #999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tapasbose opened this issue Dec 5, 2022 · 4 comments
Closed

Token Revocation Endpoint is not getting called in case of Public Client #999

tapasbose opened this issue Dec 5, 2022 · 4 comments
Assignees
@jgrandja
Labels
status: invalid An issue that we don't feel is valid

Comments

@tapasbose
Copy link

Hello,
In my configuration, I have set clientAuthenticationMethod(ClientAuthenticationMethod.NONE), also I have

.tokenRevocationEndpoint(
    (OAuth2TokenRevocationEndpointConfigurer tokenRevocationEndpoint) -> tokenRevocationEndpoint
        .revocationResponseHandler((HttpServletRequest request, HttpServletResponse response, Authentication authentication) -> {
            // my logic

            response.setStatus(HttpStatus.OK.value());
        })
)

It seems neither revocationResponseHandler is called nor OAuth2TokenRevocationEndpointFilter.doFilterInternal.

They are called if I use clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).

I was wondering if it is a bug or token revocation cannot be done in case the client is Public.

Regards
@tapasbose tapasbose added the type: bug A general bug label Dec 5, 2022
@jgrandja
Copy link
Collaborator

As per Section 2.1 Revocation Request:

The client also includes its authentication credentials as described
in Section 2.3. of [RFC6749].

The (confidential) client MUST authenticate at the Token Revocation Endpoint. Public clients are not allowed.

@jgrandja jgrandja self-assigned this Dec 13, 2022
@jgrandja jgrandja added status: invalid An issue that we don't feel is valid and removed type: bug A general bug labels Dec 13, 2022
@stefanocke
Copy link

stefanocke commented Dec 6, 2023
edited
Loading

@jgrandja

https://datatracker.ietf.org/doc/html/rfc7009#section-5 ("security considerations") says:

According to this specification, a client's request must contain a
valid client_id, in the case of a public client, or valid client
credentials, in the case of a confidential client.

So, token revocation is allowed for public clients.

@jgrandja
Copy link
Collaborator

jgrandja commented Dec 6, 2023

@stefanocke I don't agree. It does not explicitly state that public clients are allowed.

Regardless, allowing public clients on the token revocation endpoint goes against the "secure by default" principle, which is not what this project wants to adhere to.

If you require unauthenticated access for clients to any of the endpoints, it's the applications responsibility to configure.

@stefanocke
Copy link

stefanocke commented Dec 7, 2023
edited
Loading

@jgrandja

Regardless, allowing public clients on the token revocation endpoint goes against the "secure by default" principle, which is not what this project wants to adhere to.
If you require unauthenticated access for clients to any of the endpoints, it's the applications responsibility to configure.

Okay, that's only fair and consistent with the approch in #1430

I don't agree. It does not explicitly state that public clients are allowed.

Please let my try to rephrase my somehow shortened statement.
I would say, the authorization server MAY support token revocation for public clients, but it does not have to.
Can you agree on this or would you even say the specification forbids it?

Since in this case, my intent to do so by a custom configuration would just be wrong...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tapasbose @stefanocke @jgrandja