Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support revocation for standard token exchange #37820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 2 commits into from
Mar 10, 2025
Merged

Support revocation for standard token exchange #37820

mposolda merged 2 commits into from
Mar 10, 2025

Conversation

@graziang
Copy link
Contributor

@graziang graziang commented Mar 4, 2025
edited
Loading

Closes #37120

This PR addresses the following scenario:

If you start with at1, rt1 with the subject_client and refresh the tokens several times, you can obtain at2, rt2 and at3, rt3. If allowed, you can use one of these tokens as subject-token to perform token exchange, requesting a refresh token and obtaining at4, rt4 for requester-client with a new client session for requester-client.

Now, suppose you perform another token exchange using requester-client2, using at4 as subject_token, and obtain at5, rt5.

With this PR, if any of at1, rt1, at2, rt2, at3, rt3 is revoked via the revocation endpoint, at4 and rt4 are also revoked, and the corresponding client session for requester-client is deleted. at5 and rt5 are also revoked, along with the client session for requester-client2.

To implement this revocation chain, a client session note is used to track the client-id of the subject_token.

A detail has been added to the REVOKE_GRANT event to track the revoked client ids due to token exchange. A test has been added for the described cases.

@mposolda mposolda self-assigned this Mar 5, 2025
@graziang graziang force-pushed the issue-37120 branch 3 times, most recently from 636023e to c6b1574 Compare March 5, 2025 09:37
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Mar 5, 2025
Closed
mposolda
mposolda reviewed Mar 5, 2025
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@graziang Thanks! I think the approach is good. Besides that, how about this scenario we discussed:

  • Token at1 of client initial-client was used as subject_token and was exchanged for refresh token rt2 + access token at2 of client requester1.
  • Then access token at2 is used as subject_token for another exchange to receive refresh token rt3 of client requester2 .
  • Then after revocation at1 , it can be nice to revoke both rt2 and rt3 and their client session.

I think this is not yet in your PR, is it correct? But can be probably good to do?

@graziang graziang marked this pull request as ready for review March 5, 2025 15:42
@graziang graziang requested review from a team as code owners March 5, 2025 15:42
@graziang
Copy link
Contributor Author

graziang commented Mar 5, 2025

@mposolda thanks for the review. Applied your suggestions and added some description to the PR.

mposolda
mposolda previously approved these changes Mar 6, 2025
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@graziang Thanks! I hope to merge if tests are OK (I don't think UI tests failing in this PR are regression of this change, so hopefully re-run will help)

@mposolda mposolda mentioned this pull request Mar 6, 2025
Merged
@graziang
Copy link
Contributor Author

graziang commented Mar 10, 2025

@mposolda rebased and added a commit for the changed methods in StandardTokenExchangeV2Test for token introspection. Hope for the tests

graziang added 2 commits March 10, 2025 13:02
@graziang @mposolda
Support revocation for standard token exchange
e52cf2f 
Closes keycloak#37120

Signed-off-by: Giuseppe Graziano <[email protected]>
@graziang @mposolda
changed introspection method in StandardTokenExchangeV2Test
3390808 
Closes keycloak#37120

Signed-off-by: Giuseppe Graziano <[email protected]>

changed intrspection method in StandardTokenExchangeV2Test

Closes keycloak#37120

Signed-off-by: Giuseppe Graziano <[email protected]>
@mposolda
Copy link
Contributor

mposolda commented Mar 10, 2025

@graziang Thanks for the rebase and update of the PR!

@mposolda mposolda merged commit 0b3cfde into keycloak:main Mar 10, 2025
77 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

Assignees

@mposolda mposolda

Labels

flaky-test team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Revocation: Figure revocation of refresh-token chain

2 participants

@graziang @mposolda