Revocation Access Token

tangkhaiphuong · May 8, 2018, 9:28am

Hi, I make the request to logout via revocation API and log from console docker:

time="2018-05-05T04:08:15Z" level=info msg="started handling request" method=POST remote="172.18.0.1:35800" request=/oauth2/revoke
time="2018-05-05T04:08:15Z" level=error msg="An error occurred" error=revokation_client_mismatch
time="2018-05-05T04:08:15Z" level=info msg="completed handling request"

The client which I use to authentication: Base from (https://stackoverflow.com/questions/45714067/configure-spring-security-with-hydra-oauth-2-0/49283337#49283337) After inspection successfully

docker run --rm -it --network hydra-network -e CLUSTER_URL=https://ory-hydra:4444 -e CLIENT_ID=admin -e CLIENT_SECRET=abc oryd/hydra:v0.11.12-alpine clients create --skip-tls-verify --id my-rest-api --secret abc --grant-types client_credentials --response-types token --allowed-scopes hydra.introspect  

docker run --rm -it --network hydra-network -e CLUSTER_URL=https://ory-hydra:4444 -e CLIENT_ID=admin -e CLIENT_SECRET=abc oryd/hydra:v0.11.12-alpine policies create --skip-tls-verify  --actions introspect --description "Policy to introspect tokens from my api"  --allow --id accesstoken_introsp-policy --resources "rn:hydra:oauth2:tokens" --subjects my-rest-api

It seems the client doesn’t allow revoking access token. So how to create a client which have the policy to allow revoking?

tangkhaiphuong · May 5, 2018, 4:40am

I can revocation by client who make request to get access token.

nehsshine · May 22, 2018, 4:05pm

@tangkhaiphuong what authorization did you provide while making a request to /oauth2/revoke and where did you pass the access token to be revoked? in query parameters or body?

tangkhaiphuong · May 23, 2018, 3:32am

Please use clientId & secret from client account which creates the access token.

Ex: If your client have clientId = abc & clientSecret=abc. Then you use this client to authenticate and create access/refresh/identity token. Then you must use this client to authenticate for revocation access token)

The access token must pass in the body of the request.
I use IdentityModel to consume OAuth2 API: https://github.com/IdentityModel/IdentityModel2

 private async void LogoutButton_Click(object sender, EventArgs e)
        {
            if (string.IsNullOrEmpty(AccessTokenDisplay.Text)) return;

            var introspectionClient = new TokenRevocationClient("https://oauth2.<domain>.com/oauth2/revoke", _options.ClientId, _options.ClientSecret);
            var result = await introspectionClient.RevokeAsync(new TokenRevocationRequest
            {
                Token = AccessTokenDisplay.Text
            });

            if (result.IsError)
            {
                MessageBox.Show(this, result.Error, "Revocation", MessageBoxButtons.OK, MessageBoxIcon.Error);
                return;
            }
            OtherDataDisplay.Text = result.Raw;
        }