search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.59k stars 909 forks source link

Token revoke endpoint & public clients #12053

Open Kichiyaki opened 3 hours ago

Kichiyaki commented 3 hours ago

Describe the bug It's not possible to revoke a token via /application/o/revoke/ without providing client_secret for public clients.

To Reproduce Steps to reproduce the behavior:

  1. Create an oauth2 provider with client type=public.
  2. Authorize using the created provider.
  3. Generate tokens.
  4. Try revoking the access/refresh token via /application/o/revoke/.

Expected behavior Public clients can revoke a token via /application/o/revoke/ without providing client_secret.

Screenshots If applicable, add screenshots to help explain your problem.

Logs Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

Additional context The RFC states that a client's request must contain a valid client_id, in the case of a public client, or valid client credentials, in the case of a confidential client.

I believe the culprit is this function: https://github.com/goauthentik/authentik/blob/main/authentik/providers/oauth2/utils.py#L181.

Kichiyaki commented 3 hours ago

Workaround: change client type to confidential and set client_secret to an empty string (via UI, I couldn't do it via Terraform) and change it back to public.