search

ccpgames / sso-issues

Please file issues with the CCP SSO (login.eveonline.com) here.
17 stars 1 forks source link

[BUG] Revoke Endpoint does not work with SSOv2 #43

Open ddavaham opened 5 years ago

ddavaham commented 5 years ago

Bug

I performed the following revokation of an access token

{
  "status": true,
  "payload": {
    "log_id": "ZWRDD6UFNQvs3csa",
    "message": null,
    "url": "https://login.eveonline.com/v2/oauth/revoke",
    "code": 200,
    "headers": {
      "request": {
        "Request-Line": "POST /v2/oauth/revoke HTTP/1.1",
        "Host": "login.eveonline.com",
        "Accept": "*/*",
        "Authorization": "Basic NjVkZjZiODY2NjAwNGQwZWE2MjZiNDY3ZWJjZDkyZDE6SE92Qm5ZdzdUU2dJNERXMmNraEMwMjJwazk0VGJlZUNKaHh1UUFlRg==",
        "Content-Type": "application/json",
        "User-Agent": "ESIKnife Local Development || David Davaham (David Douglas) || ddouglas@douglaswebdev.net",
        "Content-Length": "943",
        "data": "{\"token_type_hint\":\"access_token\",\"token\":\"eyJhbGciOiJSUzI1NiIsImtpZCI6IkpXVC1TaWduYXR1cmUtS2V5IiwidHlwIjoiSldUIn0.eyJzY3AiOlsiZXNpLWxvY2F0aW9uLnJlYWRfbG9jYXRpb24udjEiLCJlc2ktbG9jYXRpb24ucmVhZF9zaGlwX3R5cGUudjEiLCJlc2ktd2FsbGV0LnJlYWRfY2hhcmFjdGVyX3dhbGxldC52MSJdLCJqdGkiOiIxNGViNmZlOC1lMDQxLTRmMDktOTgzYS0yMWM0NDA5Y2Y2NTgiLCJraWQiOiJKV1QtU2lnbmF0dXJlLUtleSIsInN1YiI6IkNIQVJBQ1RFUjpFVkU6OTU5MjMwODQiLCJhenAiOiI2NWRmNmI4NjY2MDA0ZDBlYTYyNmI0NjdlYmNkOTJkMSIsIm5hbWUiOiJEYXZpZCBEYXZhaGFtIiwib3duZXIiOiJQaGpReWdVRjUwM2Q0VkdIVEhzdzRnbXp0dlk9IiwiZXhwIjoxNTM4ODk3MTQyLCJpc3MiOiJsb2dpbi5ldmVvbmxpbmUuY29tIn0.nWNb_9tTE9wR59o4-M0EvB0LqHsCtlkYorJ1J_t8IEfuO8xCRLEInyWSu-53ect4FDXg9cGwkCQotg-A_V7qfQ586e9z1i6r1sBr7ZF8nYN_C-jF8k5CNiBQZAxgahndEOyy36GO7Ohej_B6DdTI6bca8nd9oIsO0l8vj6Hb1__qXr6MqOt_QGo5mX_jfsL5CnIIuR5Q64f8xLZ1AI6dRq7Qw-hvGNzRwRWx2EEsL7_Py0WmfqlwSqgbVKgw-Cta72zJZkF5qk0yn_OG99BPRl-4ZTQsLlDkTnGXCbnCYApSBQX67g1NExnmb4NpAqNpM-2xzFJ9POe96axF2k4ldw\"}"
      },
      "response": {
        "Status-Line": "HTTP/1.1 200 OK",
        "Cache-Control": "no-store",
        "Pragma": "no-cache",
        "Server": "Microsoft-IIS/8.5",
        "Date": "Sun, 07 Oct 2018 07:06:19 GMT",
        "Content-Length": "0"
      }
    },
    "response": ""
  }
}

A Few minutes later using the same access token I was able to request data about the characters ship.

{#461 ▼
  +"status": true
  +"payload": {#458 ▼
    +"log_id": "iQoQM2k8956iCPra"
    +"message": null
    +"url": "https://esi.evetech.net/v1/characters/95923084/ship/"
    +"code": 200
    +"headers": {#434 ▼
      +"request": array:7 [▼
        "Request-Line" => "GET /v1/characters/95923084/ship/ HTTP/1.1"
        "Host" => "esi.evetech.net"
        "Accept" => "*/*"
        "Authorization" => "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpXVC1TaWduYXR1cmUtS2V5IiwidHlwIjoiSldUIn0.eyJzY3AiOlsiZXNpLWxvY2F0aW9uLnJlYWRfbG9jYXRpb24udjEiLCJlc2ktbG9jYXRpb24ucmVhZF9za ▶"
        "Content-Type" => "application/json"
        "User-Agent" => "ESIKnife Local Development || David Davaham (David Douglas) || ddouglas@douglaswebdev.net"
        "data" => []
      ]
      +"response": array:20 [▼
        "Status-Line" => "HTTP/1.1 200 OK"
        "Date" => "Sun, 07 Oct 2018 07:10:06 GMT"
        "Content-Type" => "application/json; charset=UTF-8"
        "Content-Length" => "74"
        "Connection" => "keep-alive"
        "Access-Control-Allow-Credentials" => "true"
        "Access-Control-Allow-Headers" => "Content-Type,Authorization,If-None-Match,X-User-Agent"
        "Access-Control-Allow-Methods" => "GET,HEAD,OPTIONS"
        "Access-Control-Allow-Origin" => "*"
        "Access-Control-Expose-Headers" => "Content-Type,Warning,ETag,X-Pages,X-ESI-Error-Limit-Remain,X-ESI-Error-Limit-Reset"
        "Access-Control-Max-Age" => "600"
        "Allow" => "GET,HEAD,OPTIONS"
        "Cache-Control" => "private"
        "Etag" => ""4dd43c0770f61b9185098baee19f3ce2f36753d871114e297839b13e""
        "Expires" => "Sun, 07 Oct 2018 07:10:11 GMT"
        "Last-Modified" => "Sun, 07 Oct 2018 07:10:06 GMT"
        "Strict-Transport-Security" => "max-age=31536000"
        "X-Esi-Error-Limit-Remain" => "100"
        "X-Esi-Error-Limit-Reset" => "54"
        "X-Esi-Request-Id" => "595bcc47-9296-4ada-94cf-867f4594f5a4"
      ]
    }
    +"response": {#430 ▼
      +"ship_item_id": 1027500721343
      +"ship_name": "IHaveACyno"
      +"ship_type_id": 606
    }
  }
}

To Try again, I revoked the token by refresh token

{
  "status": true,
  "payload": {
    "log_id": "UyqS2CMpVXi1s2bh",
    "message": null,
    "url": "https://login.eveonline.com/v2/oauth/revoke",
    "code": 200,
    "headers": {
      "request": {
        "Request-Line": "POST /v2/oauth/revoke HTTP/1.1",
        "Host": "login.eveonline.com",
        "Accept": "*/*",
        "Authorization": "Basic NjVkZjZiODY2NjAwNGQwZWE2MjZiNDY3ZWJjZDkyZDE6SE92Qm5ZdzdUU2dJNERXMmNraEMwMjJwazk0VGJlZUNKaHh1UUFlRg==",
        "Content-Type": "application/json",
        "User-Agent": "ESIKnife Local Development || David Davaham (David Douglas) || ddouglas@douglaswebdev.net",
        "Content-Length": "70",
        "data": "{\"token_type_hint\":\"refresh_token\",\"token\":\"5aI666sHJ0ucBRnPulp6Jg==\"}"
      },
      "response": {
        "Status-Line": "HTTP/1.1 200 OK",
        "Cache-Control": "no-store",
        "Pragma": "no-cache",
        "Server": "Microsoft-IIS/8.5",
        "Date": "Sun, 07 Oct 2018 07:11:04 GMT",
        "Content-Length": "0"
      }
    },
    "response": ""
  }
}

Then tried requesting the ship again

{#461 ▼
  +"status": true
  +"payload": {#458 ▼
    +"log_id": "JXvGpQvCJo56toUD"
    +"message": null
    +"url": "https://esi.evetech.net/v1/characters/95923084/ship/"
    +"code": 200
    +"headers": {#434 ▼
      +"request": array:7 [▼
        "Request-Line" => "GET /v1/characters/95923084/ship/ HTTP/1.1"
        "Host" => "esi.evetech.net"
        "Accept" => "*/*"
        "Authorization" => "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpXVC1TaWduYXR1cmUtS2V5IiwidHlwIjoiSldUIn0.eyJzY3AiOlsiZXNpLWxvY2F0aW9uLnJlYWRfbG9jYXRpb24udjEiLCJlc2ktbG9jYXRpb24ucmVhZF9za ▶"
        "Content-Type" => "application/json"
        "User-Agent" => "ESIKnife Local Development || David Davaham (David Douglas) || ddouglas@douglaswebdev.net"
        "data" => []
      ]
      +"response": array:20 [▼
        "Status-Line" => "HTTP/1.1 200 OK"
        "Date" => "Sun, 07 Oct 2018 07:11:46 GMT"
        "Content-Type" => "application/json; charset=UTF-8"
        "Content-Length" => "74"
        "Connection" => "keep-alive"
        "Access-Control-Allow-Credentials" => "true"
        "Access-Control-Allow-Headers" => "Content-Type,Authorization,If-None-Match,X-User-Agent"
        "Access-Control-Allow-Methods" => "GET,HEAD,OPTIONS"
        "Access-Control-Allow-Origin" => "*"
        "Access-Control-Expose-Headers" => "Content-Type,Warning,ETag,X-Pages,X-ESI-Error-Limit-Remain,X-ESI-Error-Limit-Reset"
        "Access-Control-Max-Age" => "600"
        "Allow" => "GET,HEAD,OPTIONS"
        "Cache-Control" => "private"
        "Etag" => ""4dd43c0770f61b9185098baee19f3ce2f36753d871114e297839b13e""
        "Expires" => "Sun, 07 Oct 2018 07:11:51 GMT"
        "Last-Modified" => "Sun, 07 Oct 2018 07:11:46 GMT"
        "Strict-Transport-Security" => "max-age=31536000"
        "X-Esi-Error-Limit-Remain" => "100"
        "X-Esi-Error-Limit-Reset" => "14"
        "X-Esi-Request-Id" => "51125d66-307f-4b63-85b9-a44a34b43a2f"
      ]
    }
    +"response": {#430 ▼
      +"ship_item_id": 1027500721343
      +"ship_name": "IHaveACyno"
      +"ship_type_id": 606
    }
  }
}

I tried to refresh the token

{#461 ▼
  +"status": true
  +"payload": {#458 ▼
    +"log_id": "P1Yiisc3VNDXUtUc"
    +"message": null
    +"url": "https://login.eveonline.com/v2/oauth/token"
    +"code": 200
    +"headers": {#434 ▼
      +"request": array:8 [▼
        "Request-Line" => "POST /v2/oauth/token HTTP/1.1"
        "Host" => "login.eveonline.com"
        "Accept" => "*/*"
        "Authorization" => "Basic NjVkZjZiODY2NjAwNGQwZWE2MjZiNDY3ZWJjZDkyZDE6SE92Qm5ZdzdUU2dJNERXMmNraEMwMjJwazk0VGJlZUNKaHh1UUFlRg=="
        "Content-Type" => "application/json"
        "User-Agent" => "ESIKnife Local Development || David Davaham (David Douglas) || ddouglas@douglaswebdev.net"
        "Content-Length" => "73"
        "data" => "{"grant_type":"refresh_token","refresh_token":"5aI666sHJ0ucBRnPulp6Jg=="}"
      ]
      +"response": array:9 [▼
        "Status-Line" => "HTTP/1.1 200 OK"
        "Cache-Control" => "no-store"
        "Pragma" => "no-cache"
        "Content-Type" => "application/json; charset=utf-8"
        "Server" => "Microsoft-IIS/8.5"
        "Access-Control-Allow-Methods" => "OPTIONS, POST"
        "Access-Control-Allow-Origin" => "*"
        "Date" => "Sun, 07 Oct 2018 07:12:47 GMT"
        "Content-Length" => "1000"
      ]
    }
    +"response": {#430 ▼
      +"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkpXVC1TaWduYXR1cmUtS2V5IiwidHlwIjoiSldUIn0.eyJzY3AiOlsiZXNpLWxvY2F0aW9uLnJlYWRfbG9jYXRpb24udjEiLCJlc2ktbG9jYXRpb24ucmVhZF9zaGlwX3R5cGUudjEiLCJlc2ktd2FsbGV0LnJlYWRfY2hhcmFjdGVyX3dhbGxldC52MSJdLCJqdGkiOiJiNTgwOTQwNS03N2VlLTRkOTEtYjM5My1iZDlmMGMzNzFlMjIiLCJraWQiOiJKV1QtU2lnbmF0dXJlLUtleSIsInN1YiI6IkNIQVJBQ1RFUjpFVkU6OTU5MjMwODQiLCJhenAiOiI2NWRmNmI4NjY2MDA0ZDBlYTYyNmI0NjdlYmNkOTJkMSIsIm5hbWUiOiJEYXZpZCBEYXZhaGFtIiwib3duZXIiOiJQaGpReWdVRjUwM2Q0VkdIVEhzdzRnbXp0dlk9IiwiZXhwIjoxNTM4ODk3NTY3LCJpc3MiOiJsb2dpbi5ldmVvbmxpbmUuY29tIn0.M-XAjJz-9k9GKx6bfIZRCBsa84lXBvPeYK_UqmV51Cf2aYDrG7OZYmEGQCEZgGkecGlOz_mdXagygkDIpSFJgBN9F8m3Vj4lNA52LFsyvT4c7fnTrilDgkQkVpaBHCD_59oOA-KcceJ-LRhbGacV7TtvXc9tHOHNBDICtmePgmaxq8tWugmRw3FqEPuyFe--UXXsVWlzlTP7WN7BAdEs95VXQSbVs7ezZy7GKXsmz3NoHwp0nCiUQ-qhpb1k2hI1A2bVAsrwMXCYFukkSa7ojFm085Q1pu891gVKs3NM3kiW6FzL4fqCri0kE7YWfEPooP-moxhENCZ8Uj7zc_cQQg ◀"
      +"expires_in": 1199
      +"token_type": "Bearer"
      +"refresh_token": "5aI666sHJ0ucBRnPulp6Jg=="
    }
  }
}

I then delete the application via the developers console and waited five minutes

Only after deleting the application was did I receive a proper response from the refresh endpoint

{#461 ▼
  +"status": false
  +"payload": {#458 ▼
    +"log_id": "ZSMMZpVE6SiUZmJl"
    +"message": "Failed HTTP Request POST  : Http Status 401"
    +"url": "https://login.eveonline.com/v2/oauth/token"
    +"code": 401
    +"headers": {#434 ▼
      +"request": array:8 [▼
        "Request-Line" => "POST /v2/oauth/token HTTP/1.1"
        "Host" => "login.eveonline.com"
        "Accept" => "*/*"
        "Authorization" => "Basic NjVkZjZiODY2NjAwNGQwZWE2MjZiNDY3ZWJjZDkyZDE6SE92Qm5ZdzdUU2dJNERXMmNraEMwMjJwazk0VGJlZUNKaHh1UUFlRg=="
        "Content-Type" => "application/json"
        "User-Agent" => "ESIKnife Local Development || David Davaham (David Douglas) || ddouglas@douglaswebdev.net"
        "Content-Length" => "73"
        "data" => "{"grant_type":"refresh_token","refresh_token":"5aI666sHJ0ucBRnPulp6Jg=="}"
      ]
      +"response": array:9 [▼
        "Status-Line" => "HTTP/1.1 401 Unauthorized"
        "Cache-Control" => "no-cache"
        "Pragma" => "no-cache"
        "Content-Length" => "87"
        "Content-Type" => "application/json; charset=utf-8"
        "Expires" => "-1"
        "Server" => "Microsoft-IIS/8.5"
        "WWW-Authenticate" => "Basic realm="login.eveonline.com""
        "Date" => "Sun, 07 Oct 2018 07:22:44 GMT"
      ]
    }
    +"response": {#430 ▼
      +"error": "invalid_client"
      +"error_description": "Missing or invalid client credentials."
    }
  }
}

However I am still able to make requests to ESI using an access token that is registered to an application that has been deleted.

{#461 ▼
  +"status": true
  +"payload": {#458 ▼
    +"log_id": "cBh3cpTyxVTsJljC"
    +"message": null
    +"url": "https://esi.evetech.net/v1/characters/95923084/ship/"
    +"code": 200
    +"headers": {#434 ▼
      +"request": array:7 [▼
        "Request-Line" => "GET /v1/characters/95923084/ship/ HTTP/1.1"
        "Host" => "esi.evetech.net"
        "Accept" => "*/*"
        "Authorization" => "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpXVC1TaWduYXR1cmUtS2V5IiwidHlwIjoiSldUIn0.eyJzY3AiOlsiZXNpLWxvY2F0aW9uLnJlYWRfbG9jYXRpb24udjEiLCJlc2ktbG9jYXRpb24ucmVhZF9za ▶"
        "Content-Type" => "application/json"
        "User-Agent" => "ESIKnife Local Development || David Davaham (David Douglas) || ddouglas@douglaswebdev.net"
        "data" => []
      ]
      +"response": array:20 [▼
        "Status-Line" => "HTTP/1.1 200 OK"
        "Date" => "Sun, 07 Oct 2018 07:23:55 GMT"
        "Content-Type" => "application/json; charset=UTF-8"
        "Content-Length" => "74"
        "Connection" => "keep-alive"
        "Access-Control-Allow-Credentials" => "true"
        "Access-Control-Allow-Headers" => "Content-Type,Authorization,If-None-Match,X-User-Agent"
        "Access-Control-Allow-Methods" => "GET,HEAD,OPTIONS"
        "Access-Control-Allow-Origin" => "*"
        "Access-Control-Expose-Headers" => "Content-Type,Warning,ETag,X-Pages,X-ESI-Error-Limit-Remain,X-ESI-Error-Limit-Reset"
        "Access-Control-Max-Age" => "600"
        "Allow" => "GET,HEAD,OPTIONS"
        "Cache-Control" => "private"
        "Etag" => ""4dd43c0770f61b9185098baee19f3ce2f36753d871114e297839b13e""
        "Expires" => "Sun, 07 Oct 2018 07:24:00 GMT"
        "Last-Modified" => "Sun, 07 Oct 2018 07:23:55 GMT"
        "Strict-Transport-Security" => "max-age=31536000"
        "X-Esi-Error-Limit-Remain" => "100"
        "X-Esi-Error-Limit-Reset" => "5"
        "X-Esi-Request-Id" => "25ff7b0d-7cef-4379-a65b-6e358e22a20d"
      ]
    }
    +"response": {#430 ▼
      +"ship_item_id": 1027500721343
      +"ship_name": "IHaveACyno"
      +"ship_type_id": 606
    }
  }
}

But I am assuming that this is acceptable since the life time of these token is only 20 minutes.

Please let me know if there is anything else I can do to assist.

CarbonAlabel commented 5 years ago

Can confirm this, the v2 revocation endpoint does not seem to be revoking refresh tokens as it should be.

My previous testing showed it to be working properly, so I'm guessing this problem was introduced recently, in the last month or so.

gehnster commented 1 year ago

Could we please get an update on this?