feat: add rp.RevokeToken (#231)

* feat: add rp.RevokeToken * add missing lines after conflict resolving Co-authored-by: Livio Spring <livio.a@gmail.com>
2022-11-14 22:35:16 -08:00 · 2022-11-14 22:35:16 -08:00 · 39852f6021
commit 39852f6021
parent 0847a5985a
6 changed files with 88 additions and 5 deletions
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@ -109,6 +109,47 @@ func CallEndSessionEndpoint(request interface{}, authFn interface{}, caller EndS
 	return location, nil
 }

+type RevokeCaller interface {
+	GetRevokeEndpoint() string
+	HttpClient() *http.Client
+}
+
+type RevokeRequest struct {
+	Token         string `schema:"token"`
+	TokenTypeHint string `schema:"token_type_hint"`
+	ClientID      string `schema:"client_id"`
+	ClientSecret  string `schema:"client_secret"`
+}
+
+func CallRevokeEndpoint(request interface{}, authFn interface{}, caller RevokeCaller) error {
+	req, err := httphelper.FormRequest(caller.GetRevokeEndpoint(), request, Encoder, authFn)
+	if err != nil {
+		return err
+	}
+	client := caller.HttpClient()
+	client.CheckRedirect = func(_ *http.Request, _ []*http.Request) error {
+		return http.ErrUseLastResponse
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	// According to RFC7009 in section 2.2:
+	// "The content of the response body is ignored by the client as all
+	// necessary information is conveyed in the response code."
+	if resp.StatusCode != 200 {
+		// TODO: switch to io.ReadAll when go1.15 support is retired
+		body, err := ioutil.ReadAll(resp.Body)
+		if err == nil {
+			return fmt.Errorf("revoke returned status %d and text: %s", resp.StatusCode, string(body))
+		} else {
+			return fmt.Errorf("revoke returned status %d", resp.StatusCode)
+		}
+	}
+	return nil
+}
+
 func NewSignerFromPrivateKeyByte(key []byte, keyID string) (jose.Signer, error) {
 	privateKey, err := crypto.BytesToPrivateKey(key)
 	if err != nil {
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@ -52,6 +53,9 @@ type RelyingParty interface {
 	// GetEndSessionEndpoint returns the endpoint to sign out on a IDP
 	GetEndSessionEndpoint() string

+	// GetRevokeEndpoint returns the endpoint to revoke a specific token
+	// "GetRevokeEndpoint() string" will be added in a future release
+
 	// UserinfoEndpoint returns the userinfo
 	UserinfoEndpoint() string

@ -121,6 +125,10 @@ func (rp *relyingParty) GetEndSessionEndpoint() string {
 	return rp.endpoints.EndSessionURL
 }

+func (rp *relyingParty) GetRevokeEndpoint() string {
+	return rp.endpoints.RevokeURL
+}
+
 func (rp *relyingParty) IDTokenVerifier() IDTokenVerifier {
 	if rp.idTokenVerifier == nil {
 		rp.idTokenVerifier = NewIDTokenVerifier(rp.issuer, rp.oauthConfig.ClientID, NewRemoteKeySet(rp.httpClient, rp.endpoints.JKWsURL), rp.verifierOpts...)
@ -491,6 +499,7 @@ type Endpoints struct {
 	UserinfoURL   string
 	JKWsURL       string
 	EndSessionURL string
+	RevokeURL     string
 }

 func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints {
@ -504,6 +513,7 @@ func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints {
 		UserinfoURL:   discoveryConfig.UserinfoEndpoint,
 		JKWsURL:       discoveryConfig.JwksURI,
 		EndSessionURL: discoveryConfig.EndSessionEndpoint,
+		RevokeURL:     discoveryConfig.RevocationEndpoint,
 	}
 }

@ -584,3 +594,21 @@ func EndSession(rp RelyingParty, idToken, optionalRedirectURI, optionalState str
 	}
 	return client.CallEndSessionEndpoint(request, nil, rp)
 }
+
+// RevokeToken requires a RelyingParty that is also a client.RevokeCaller.  The RelyingParty
+// returned by NewRelyingPartyOIDC() meets that criteria, but the one returned by
+// NewRelyingPartyOAuth() does not.
+//
+// tokenTypeHint should be either "id_token" or "refresh_token".
+func RevokeToken(rp RelyingParty, token string, tokenTypeHint string) error {
+	request := client.RevokeRequest{
+		Token:         token,
+		TokenTypeHint: tokenTypeHint,
+		ClientID:      rp.OAuthConfig().ClientID,
+		ClientSecret:  rp.OAuthConfig().ClientSecret,
+	}
+	if rc, ok := rp.(client.RevokeCaller); ok && rc.GetRevokeEndpoint() != "" {
+		return client.CallRevokeEndpoint(request, nil, rc)
+	}
+	return fmt.Errorf("RelyingParty does not support RevokeCaller")
+}