Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth/revoke endpoint doesn't revoke expired access tokens #1579

Closed
ShalaQweghen opened this issue Jun 28, 2022 · 5 comments
Closed

oauth/revoke endpoint doesn't revoke expired access tokens #1579

ShalaQweghen opened this issue Jun 28, 2022 · 5 comments
Labels
wontfix

Comments

@ShalaQweghen
Copy link

Steps to reproduce

When an access token is expired, it cannot be revoked with oauth/revoke endpoint. It seems like it can cause security issues if refresh tokens are enabled because refresh tokens attached to expired access tokens can still be used to obtain new access tokens.

As an example case; an application which interacts with my doorkeeper app uses refresh tokens to get new access tokens when an access token expires. When the interacting application is uninstalled from a user's computer, it makes a request to oauth/revoke to take care of the access token. However, because the token expired before uninstalling the application, oauth/revoke endpoint doesn't do anything to it. So, in theory, it can be used to get new access tokens.

I have temporarily overcome this by overriding tokens controller as follows:

# routes.rb
...
  use_doorkeeper do
    controllers tokens: 'oauth/tokens'
  end
...
class Oauth::TokensController < Doorkeeper::TokensController
  private

  def revoke_token
    token.revoke unless token&.revoked?
  end
end

Expected behavior

Making a request to oauth/revoke should revoke an access token even it is expired.

Actual behavior

Making a request to oauth/revoke doesn't revoke expired access tokens.

System configuration

The configuration is pretty much the same as the default with a couple of modifications which don't affect the oauth/revoke endpoint.

Ruby version: 3.0.4
@ShalaQweghen ShalaQweghen changed the title oauth/revoke endpoint doesn't revoke expired access tokens oauth/revoke endpoint doesn't revoke expired access tokens Jun 28, 2022
@nbulaj
Copy link
Member

nbulaj commented Aug 2, 2022

Hey thanks @ShalaQweghen . I have to check what OAuth RFC says about such case at first

@nbulaj
Copy link
Member

nbulaj commented Aug 2, 2022

Well, at first sight no recommendations and restrictions

Also are you sure it's possible to use expired token to get a new token? 🤔 Can you provide an RSpec example please?

@nbulaj
Copy link
Member

nbulaj commented Aug 2, 2022

Also nothing in OAuth 2.0 Threat Model and Security Considerations ( https://datatracker.ietf.org/doc/html/rfc6819 )

@stale
Copy link

stale bot commented Oct 30, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Oct 30, 2022
@stale stale bot closed this as completed Jan 8, 2023
@syakovyn
Copy link

I have the same issue @ShalaQweghen mentioned. However, it is not about revoking expired access tokens which is not an issue but revoking refresh tokens. E.g. if a request is made to revoke a refresh token that is bound to an expired access token the refresh token remains intact. As a result, it can be used to get one new access token or even multiple access tokens in refresh_token_revoked_on_use mode after it was "revoked".

@syakovyn syakovyn mentioned this issue Sep 18, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@syakovyn @nbulaj @ShalaQweghen