October 13, 2015 at 9:04 am #5800
This is regarding the issue I am facing with OAuth2.0 revoke token and I feel its a bug with ForgeRock OpenAM side.
As per RFC7009 revoke token API should:
1. validate the client credentials before revoking. But OpenAm requires admin credentials to call the revoke API.
2. if refresh token is provided, it should revoke the refresh token as well as all the associated access tokens. But as per my tests, it is revoking only the refresh token. All the access tokens generated using this refresh token are still valid(if not expired yet).
RFC7009 link: http://tools.ietf.org/html/rfc7009#section-2.1
openam API used to test revoke: /frrest/oauth2/token/<token-id>?_action=revoke
Please let me know if I am missing anything or am I using the wrong openam API.October 13, 2015 at 3:38 pm #5813Mike JangSpectator
I moved and renamed your post, so our OpenAM engineers will more easily see your question.
Can you tell us more about when you see the problem with the token. What steps did you take, what version of OpenAM are you using, etc.
MikeOctober 15, 2015 at 6:51 am #5838
I am developing API based on RFC7009(http://tools.ietf.org/html/rfc7009#section-2.1).
As per this RFC:
If the particular token is a refresh token and the authorization server supports the
revocation of access tokens, then the authorization server SHOULD
also invalidate all access tokens based on the same authorization grant.
Version of OpenAM:
1. If refresh token is passed then only the refresh token is revoked/deleted. If I get multiple access tokens using this refresh token, all the access tokens are still valid.
2. Also it is mentioned in the RFC that Client Credentials are mandatory for revoking a token which I don’t see that it is considered in the API.
OpenAM APIs used:
1. /frrest/oauth2/token/<token-id>?_action=revoke (POST request)
2. /frrest/oauth2/token/<token-id> (DELETE request)
ThanksOctober 15, 2015 at 6:35 pm #5866Mike JangSpectator
Thank you for telling us more about what you’re doing.
FYI, I suggest that you read our OpenAM Administration Guide, specifically our chapter on OAuth 2. That chapter includes several references to RFC 6749. I do not know the differences with RFC 7009.
MikeOctober 16, 2015 at 12:38 pm #5875
RFC7009 is a supplement of RFC6749. Below is an extract from the same for your refrence:
The OAuth 2.0 core specification [RFC6749] defines several ways for a
client to obtain refresh and access tokens. This specification
supplements the core specification with a mechanism to revoke both
types of tokens.
So, this RFC talks about token revocation. Does OpenAM support this RFC?
SyedOctober 22, 2015 at 9:09 pm #5931Peter MajorModerator
RFC7009 is currently not listed under the Supported Standards section of:
There is an open RFE to support RFC7009-like token revocation, see:
https://bugster.forgerock.org/jira/browse/OPENAM-7146October 26, 2015 at 6:12 am #5959
Another issue(not sure if it is actually an issue):
Step 1. Acquiring the Access token:
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW (Generated using client username and client password)
OpenAm returned a successful response with Access token and refresh token.
Note: Here Authorization header contains the credentials of OAuth2.0 client and in body username and password is also of another OAuth2.0 client(Not sure of the actual use case where this can be used).
Step 2. Trying to delete this token using:
/frrest/oauth2/token/<token-id> (DELETE request)
This returns “Access Denied”.
So in my opinion either Step 1 should(if client credentials cannot be used in body) fail or Step 2 should pass(User should have ability to revoke any access/refresh token he has granted access to any client). Let me know your thoughts on this.
You must be logged in to reply to this topic.