OpenAM OAuth 2 revoke token – possible bug

Tagged: ,

This topic has 6 replies, 3 voices, and was last updated 6 years, 11 months ago by suhaibmustafa.

  • Author
    Posts
  • #5800
     suhaibmustafa
    Participant

    Hi,

    This is regarding the issue I am facing with OAuth2.0 revoke token and I feel its a bug with ForgeRock OpenAM side.

    As per RFC7009 revoke token API should:
    1. validate the client credentials before revoking. But OpenAm requires admin credentials to call the revoke API.
    2. if refresh token is provided, it should revoke the refresh token as well as all the associated access tokens. But as per my tests, it is revoking only the refresh token. All the access tokens generated using this refresh token are still valid(if not expired yet).

    RFC7009 link: http://tools.ietf.org/html/rfc7009#section-2.1

    openam API used to test revoke: /frrest/oauth2/token/<token-id>?_action=revoke

    Please let me know if I am missing anything or am I using the wrong openam API.

    #5813
     Mike Jang
    Spectator

    Hi suhaibmustafa,

    I moved and renamed your post, so our OpenAM engineers will more easily see your question.

    Can you tell us more about when you see the problem with the token. What steps did you take, what version of OpenAM are you using, etc.

    Thanks,
    Mike

    #5838
     suhaibmustafa
    Participant

    Hi Mike,

    I am developing API based on RFC7009(http://tools.ietf.org/html/rfc7009#section-2.1).
    As per this RFC:
    If the particular token is a refresh token and the authorization server supports the
    revocation of access tokens, then the authorization server SHOULD
    also invalidate all access tokens based on the same authorization grant.

    Version of OpenAM:
    OpenAM 12.0.0

    Problem:
    1. If refresh token is passed then only the refresh token is revoked/deleted. If I get multiple access tokens using this refresh token, all the access tokens are still valid.
    2. Also it is mentioned in the RFC that Client Credentials are mandatory for revoking a token which I don’t see that it is considered in the API.

    OpenAM APIs used:
    1. /frrest/oauth2/token/<token-id>?_action=revoke (POST request)
    2. /frrest/oauth2/token/<token-id> (DELETE request)

    Thanks

    #5866
     Mike Jang
    Spectator

    Hi suhaibmustafa,

    Thank you for telling us more about what you’re doing.

    FYI, I suggest that you read our OpenAM Administration Guide, specifically our chapter on OAuth 2. That chapter includes several references to RFC 6749. I do not know the differences with RFC 7009.

    Thanks,
    Mike

    #5875
     suhaibmustafa
    Participant

    Hi Mike,

    RFC7009 is a supplement of RFC6749. Below is an extract from the same for your refrence:
    The OAuth 2.0 core specification [RFC6749] defines several ways for a
    client to obtain refresh and access tokens. This specification
    supplements the core specification with a mechanism to revoke both
    types of tokens.

    So, this RFC talks about token revocation. Does OpenAM support this RFC?

    Thanks,
    Syed

    #5931
     Peter Major
    Moderator

    RFC7009 is currently not listed under the Supported Standards section of:
    http://openam.forgerock.org/doc/bootstrap/reference/index.html#chap-standards

    There is an open RFE to support RFC7009-like token revocation, see:
    https://bugster.forgerock.org/jira/browse/OPENAM-7146

    #5959
     suhaibmustafa
    Participant

    Hi Peter/Mike

    Another issue(not sure if it is actually an issue):
    Step 1. Acquiring the Access token:
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW (Generated using client username and client password)
    grant_type=password&username=client_username&password=client_password

    OpenAm returned a successful response with Access token and refresh token.
    Note: Here Authorization header contains the credentials of OAuth2.0 client and in body username and password is also of another OAuth2.0 client(Not sure of the actual use case where this can be used).

    Step 2. Trying to delete this token using:
    /frrest/oauth2/token/<token-id> (DELETE request)
    This returns “Access Denied”.

    So in my opinion either Step 1 should(if client credentials cannot be used in body) fail or Step 2 should pass(User should have ability to revoke any access/refresh token he has granted access to any client). Let me know your thoughts on this.

    Thanks,
    Syed

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?