Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for token revocation #126

Merged
merged 9 commits into from
Feb 3, 2024
Merged

Add support for token revocation #126

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
84a4526
Add support for token revocation
adambom Oct 25, 2023
4b22de6
Fix RFC url
adambom Oct 25, 2023
714eaea
Fix typo in comments
adambom Oct 30, 2023
c94f27f
Add tests for revocation
adambom Oct 30, 2023
4a10935
Fix linting errors
adambom Oct 30, 2023
9335fbb
Moving revoke tests into their own file
evert Dec 23, 2023
c38475a
Altering test to demonstrate issue with non returning JSON from revoke
evert Dec 23, 2023
929d115
Merge branch 'main' into adambom-revoke
evert Feb 3, 2024
08643ef
Update changelog, readme
evert Feb 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 37 additions & 1 deletion src/client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ import {
IntrospectionRequest,
IntrospectionResponse,
PasswordRequest,
OAuth2TokenTypeHint,
RefreshRequest,
RevocationRequest,
RevocationResponse,
ServerMetadataResponse,
TokenResponse,
} from './messages';
Expand Down Expand Up @@ -61,6 +64,14 @@ export interface ClientSettings {
*/
introspectionEndpoint?: string;

/**
* Revocatopm endpoint.
adambom marked this conversation as resolved.
Show resolved Hide resolved
*
* Required for revoking tokens. Not supported by all servers.
* If not provided we'll try to discover it, or otherwise default to /revoke
*/
revocationEndpoint?: string;
evert marked this conversation as resolved.
Show resolved Hide resolved

/**
* OAuth 2.0 Authorization Server Metadata endpoint or OpenID
* Connect Discovery 1.0 endpoint.
Expand Down Expand Up @@ -92,7 +103,7 @@ export interface ClientSettings {
}


type OAuth2Endpoint = 'tokenEndpoint' | 'authorizationEndpoint' | 'discoveryEndpoint' | 'introspectionEndpoint';
type OAuth2Endpoint = 'tokenEndpoint' | 'authorizationEndpoint' | 'discoveryEndpoint' | 'introspectionEndpoint' | 'revocationEndpoint';

export class OAuth2Client {

Expand Down Expand Up @@ -197,6 +208,27 @@ export class OAuth2Client {

}

/**
* Revoke a token
*
* This will revoke a token, provided that the server supports this feature.
*
* @see https://datatracker.ietf.org/doc/html/rfc7009
*/
async revoke(token: OAuth2Token, tokenTypeHint: OAuth2TokenTypeHint = 'access_token'): Promise<RevocationResponse> {
let tokenValue = token.accessToken;
if (tokenTypeHint === 'refresh_token') {
tokenValue = token.refreshToken!;
}

const body: RevocationRequest = {
token: tokenValue,
token_type_hint: tokenTypeHint,
};
return this.request('revocationEndpoint', body);

}

/**
* Returns a url for an OAuth2 endpoint.
*
Expand Down Expand Up @@ -230,6 +262,8 @@ export class OAuth2Client {
return resolve('/.well-known/oauth-authorization-server', this.settings.server);
case 'introspectionEndpoint':
return resolve('/introspect', this.settings.server);
case 'revocationEndpoint':
return resolve('/revoke', this.settings.server);
}

}
Expand Down Expand Up @@ -267,6 +301,7 @@ export class OAuth2Client {
['authorization_endpoint', 'authorizationEndpoint'],
['token_endpoint', 'tokenEndpoint'],
['introspection_endpoint', 'introspectionEndpoint'],
['revocation_endpoint', 'revocationEndpoint'],
] as const;

if (this.serverMetadata === null) return;
Expand All @@ -287,6 +322,7 @@ export class OAuth2Client {
*/
async request(endpoint: 'tokenEndpoint', body: RefreshRequest | ClientCredentialsRequest | PasswordRequest | AuthorizationCodeRequest): Promise<TokenResponse>;
async request(endpoint: 'introspectionEndpoint', body: IntrospectionRequest): Promise<IntrospectionResponse>;
async request(endpoint: 'revocationEndpoint', body: RevocationRequest): Promise<RevocationResponse>;
async request(endpoint: OAuth2Endpoint, body: Record<string, any>): Promise<unknown> {

const uri = await this.getEndpoint(endpoint);
Expand Down
7 changes: 7 additions & 0 deletions src/messages.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,3 +266,10 @@
jti?: string;

}

export type RevocationRequest = {
token: string;
token_type_hint?: OAuth2TokenTypeHint

Check failure on line 272 in src/messages.ts

View workflow job for this annotation

GitHub Actions / Lint 

Expected a semicolon
}

export type RevocationResponse = {}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just took a look at the spec and it looks like there's no requirement for servers to return JSON. So if a revoke endpoint returns something else, parsing the response body will likely result in an exception

Loading