Implement Token Revocation Endpoint

[babuv2]

Fixes gh-83

[pivotal-issuemaster]

@babuv2 Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

[pivotal-issuemaster]

@babuv2 Thank you for signing the Contributor License Agreement!

[jgrandja]

Thanks for the PR @babuv2! Overall, this looks very good.

Please see review comments for requested changes.

[jgrandja]

Change modifier to private for TOKEN_TYPE_HINT and TOKEN

[babuv2]

Fixed

[jgrandja]

Please remove client_id as it's not a valid parameter for a revocation request.

[babuv2]

Fixed

[jgrandja]

Remove this constructor since client_id is not a valid parameter.

[babuv2]

Fixed

[jgrandja]

Add @Nullable for tokenTypeHint arg

[babuv2]

Fixed

[jgrandja]

Rename to clientPrincipal

[jgrandja]

We should assert on OAuth2ClientAuthenticationToken. Take a look at OAuth2AuthorizationCodeAuthenticationProvider and apply the same check for client auth.

[babuv2]

Done

[jgrandja]

It's not clear to me what this check is for?

[babuv2]

This is not needed Joe. I have removed it. As of now we ignore the hint and only look for access token

[jgrandja]

Apologies as I did mention to allow the capability to revoke a refresh token but at the moment we don't have refresh token grant feature. Therefore, please remove all references to refresh token. We will add this in after we have refresh token feature implemented.

For now, we can assume the revocation request is for access tokens only. Any other token type hint should return 400 for now.

[babuv2]

Joe the spec says that hint can be any value. if it is of value access_token or refresh_token the authorization server CAN use it to speed up its lookup. If any other value of token_type_hint is give it should not lead to any error

"An invalid token type hint value is ignored by the authorization
server and does not influence the revocation response."

[jgrandja]

I'm wondering if we need to add this operation? Instead we could consider changing findByTokenAndTokenType to String token, @Nullable TokenType tokenType? I think the name would change to. Thoughts?

[babuv2]

Just looking up for access_token for now

[jgrandja]

I'm not sure we should add this operation here. We will need the ability to revoke access tokens, refresh tokens and possibly authorization codes. This operation doesn't allow us to specify which token to revoke. I wonder if we should have a revoke on OAuth2Authorization instead. Thoughts?

[babuv2]

@jgrandja Joe this is the only place where I have a doubt, you mean to say that have a revoke method on the authorization and then we should do
authorization.revoke() and then authorizationService.save(authorization)? Because in that case with our current inmemory implementation one more record will get inserted with revoked status. Instead I thought we can have an invalidate method on the service and let the implementation decide how to handle the revoke. In this default inmemory implementation

1. we remove the authorization and then
2. add it in revoked status
   Other implementations may remove it from DB and handle other revocations etc.
   We can discuss this further Joe

[babuv2]

@jgrandja Joe, Thanks for all the inputs
I am working on all the changes that is requested. I will try to get them done by tomorrow.

[jgrandja]

@babuv2 Regarding our discussion around renaming OAuth2AuthorizationService to OAuth2AuthorizationRepository, I'll hold off on this for now until we merge this PR. I'd like to see how things look after we merge and then determine if the rename makes sense or not.

[babuv2]

@babuv2 Regarding our discussion around renaming OAuth2AuthorizationService to OAuth2AuthorizationRepository, I'll hold off on this for now until we merge this PR. I'd like to see how things look after we merge and then determine if the rename makes sense or not.

@jgrandja Joe should I make any more changes to this PR?

[jgrandja]

@babuv2 Yes. Do you recall our discussion around OAuth2AuthorizationService.invalidate()? As per comment, this operation does not specify which token to revoke. An authorization code, access token and refresh token may be revoked and the logic will differ depending on which token type it is.

We also agreed that we would extract OAuth2AuthorizationService.invalidate() to a new interface, named OAuth2TokenRevocationService.revoke(...). The OAuth2AuthorizationService will likely be renamed (later) to OAuth2AuthorizationRepository as it will serve mainly for CRUD operations. The OAuth2TokenRevocationService implementation would use the OAuth2AuthorizationService to lookup the token to revoke and then update the "status" of the token before it saves it back.

[babuv2]

@jgrandja Joe, I have added the revocation service implementation

[jgrandja]

Thanks @babuv2. I will try to review today if not first thing tomorrow.

[jgrandja]

Thanks for the updates @babuv2. Please see review comments.

[jgrandja]

OAuth2Authorization.revoked does not indicate which token is revoked so this member will not work.

Let me draw out a scenario:

1. Client receives code in the Authorization Response
2. the code is leaked to a malicious client
3. the malicious client attempts to obtain an access token using the code and the Authorization Server must detect this and revoke the code
4. any further attempts of using the code should be rejected. As well, the "real" client will not be able to obtain the access token since the code was revoked. Instead the client will have to restart the flow.

So we do need some kind of construct in OAuth2Authorization that maps a token (code, access token or refresh token) to some extra metadata. One attribute would be a revoked flag. We'll also likely want to know the time it was revoked. We may store additional attributes related to the token, eg. the code can only be used once.

Give this some further thought and the type of construct we'll need so it can support storing metadata/attributes related to a specific token.

[jgrandja]

@babuv2 I've been giving this some further thought and I'd like to propose the following class as a holder of token metadata. The name maps nicely as referenced in the Token Introspection RFC:

This specification defines a protocol that allows authorized
protected resources to query the authorization server to determine
the set of metadata for a given token that was presented to them by
an OAuth 2.0 client. This metadata includes whether or not the token
is currently active (or if it has expired or otherwise been revoked)...

public class OAuth2TokenMetadata<T extends AbstractOAuth2Token> implements Serializable {
	private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
	private final T token;
	private boolean revoked;
	private Instant revokedAt;

	public OAuth2TokenMetadata(T token) {
	}

	public T getToken() {
	}

	public boolean isExpired() {
	}

	public boolean isRevoked() {
	}

	public Instant getRevokedAt() {
	}

	public boolean isActive() {
	}
}

How about we start with this and see how it shapes up. Sounds good?

[jgrandja]

Outer class reference OAuth2TokenRevocationEndpointFilter can be removed.

[jgrandja]

Please move TOKEN and TOKEN_TYPE_HINT to TokenRevocationAuthenticationConverter

[jgrandja]

Should return void

[jgrandja]

We should validate that TOKEN_TYPE_HINT was not supplied with multiple values

[jgrandja]

We should explicitly set status to 200 - even though this will default. However, it will ensure the response is written and therefore will commit.

[jgrandja]

Typo in javadoc

[jgrandja]

Thanks for the PR @babuv2 ! This is now merged along with a follow-up polish commit to complete the feature.