Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust PAIA auth logout to RFC 7009 Token Revocation #49

Closed
2 of 3 tasks
nichtich opened this issue Apr 23, 2015 · 2 comments
Closed
2 of 3 tasks

Adjust PAIA auth logout to RFC 7009 Token Revocation #49

nichtich opened this issue Apr 23, 2015 · 2 comments
Labels
PAIA auth question
Milestone
1.5.0

Comments

@nichtich
Copy link
Member

nichtich commented Apr 23, 2015
edited
Loading

RFC 7009 defines a standard method for OAuth 2.0 token revocation. To align PAIA auth logout with this RFC 7009 it should become a Token Revoking Endpoint:

  • Use content type application/x-www-form-urlencoded
  • Require additional request parameter token
  • Support an optional request parameter token_type_hint (can be ignored)

RFC 7009 does not forbid response body, such as the current JSON object with patron:

The content of the response body is ignored by the client as all
necessary information is conveyed in the response code.

The current patron request field can be made optional and should be ignored: in fact logout does not logout a patron but a token.

For backwards-compatibility

  • PAIA auth could make the token parameter optional (although this does not strictly conform to RFC 7009) and just use the access token as provided with request parameter access_token or HTTP request header Authorization.
  • PAIA auth could also support JSON request in addition to application/x-www-form-urlencoded

Example request

 POST /auth/logout HTTP/1.1
 Host: example.org
 Content-Type: application/x-www-form-urlencoded
 Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW

 token=czZCaGRSa3F0MzpnWDFmQmF0M2JW&token_type_hint=access_token
@nichtich nichtich mentioned this issue Apr 23, 2015
Closed
@nichtich nichtich added this to the 1.?.0 milestone Apr 23, 2015
@nichtich
Copy link
Member Author

nichtich commented Dec 5, 2016
edited
Loading

The following changes are required in specification and implementation:

  • make response field "patron" optional
  • support an optional request parameter token_type_hint (can be ignored):w
  • invalid token MUST NOT cause an error but HTTP 200 response - the goal of this method is to invalidate a token
  • support request paramater "token" alternative to "patron"
  • make clear that the response is optional (field patron is not required anyway)

nichtich added a commit that referenced this issue Dec 5, 2016
@nichtich
Extend PAIA auth logout to prepare support of RFC 7009 (#49)
21ec233
@nichtich
Copy link
Member Author

Does anyone use OAuth Token Revocation at all? Public identify providers have implemented it differently anyway:

  • Twitter uses field access_token instead of token
  • GitHub puts the access_token in the URL
  • MediaWiki seems to lack token revocation
  • ...

Valid implementations exist nevertheless and full conformance to RFC 7009 would be nice but I doubt the endpoint will actually be used.

@nichtich nichtich modified the milestones: 1.4.0, 1.5.0 Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
PAIA auth question
Projects
None yet
Milestone
1.5.0
Development

No branches or pull requests
1 participant
@nichtich