Thanks to visit codestin.com
Credit goes to github.com

Skip to content

OAuth2: Revocation with Basic auth no longer possible #644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
raphaelm opened this issue Jan 9, 2019 · 5 comments
Closed

OAuth2: Revocation with Basic auth no longer possible #644

raphaelm opened this issue Jan 9, 2019 · 5 comments
Assignees
@JonathanHuot
Labels
Bug OAuth2-Provider This impact the provider part of OAuth2
Milestone
3.0.1

Comments

@raphaelm
Copy link

raphaelm commented Jan 9, 2019

Describe the bug

When using the revocation endpoint, an error code 401 is returned even though client authentication is valid.

How to reproduce

  • Call RevocationEndpoint.create_revocation_response with a headers dictionary containing the client authorization.
  • Notice that this parameter is ignored completely. Clearly, it is overridden instantly:

oauthlib/oauthlib/oauth2/rfc6749/endpoints/revocation.py

Lines 41 to 67 in 20d116c

def create_revocation_response(self, uri, http_method='POST', body=None,
headers=None):
"""Revoke supplied access or refresh token.
The authorization server responds with HTTP status code 200 if the
token has been revoked sucessfully or if the client submitted an
invalid token.
Note: invalid tokens do not cause an error response since the client
cannot handle such an error in a reasonable way. Moreover, the purpose
of the revocation request, invalidating the particular token, is
already achieved.
The content of the response body is ignored by the client as all
necessary information is conveyed in the response code.
An invalid token type hint value is ignored by the authorization server
and does not influence the revocation response.
"""
headers = {
'Content-Type': 'application/json',
'Cache-Control': 'no-store',
'Pragma': 'no-cache',
}
request = Request(
uri, http_method=http_method, body=body, headers=headers)

Expected behavior

I expected this parameter to be respected

Additional context

  • OAuth2
  • This happened with django-oauth-toolkit after upgrading to oauthlib 3.0.0
  • We're implementing a provider
@raphaelm raphaelm changed the title OAuth2: Revocation no longer possible OAuth2: Revocation with Basic auth no longer possible Jan 9, 2019
@JonathanHuot JonathanHuot added Bug OAuth2-Provider This impact the provider part of OAuth2 labels Jan 9, 2019
@JonathanHuot JonathanHuot added this to the 3.0.1 milestone Jan 9, 2019
@JonathanHuot JonathanHuot self-assigned this Jan 9, 2019
@JonathanHuot
Copy link
Member

Could you check if #645 resolved your issue ?

It seems that oauthlib was lacking of unit tests around the combination of HTTP Basic Auth and Introspect/Revoke endpoints. Those have been added, too.

@raphaelm
Copy link
Author

raphaelm commented Jan 9, 2019

Seems to fix the problem, yes.

@raphaelm
Copy link
Author

raphaelm commented Jan 9, 2019

Thank you for the fast response! ❤️

@aodag
Copy link

aodag commented Jan 22, 2019

I got the same problem, I wanna use fixed release.

@raphaelm raphaelm mentioned this issue Jan 23, 2019
Closed
@JonathanHuot
Copy link
Member

@raphaelm / @aodag : oauthlib 3.0.1 is now released.

This was referenced Mar 12, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JonathanHuot JonathanHuot

Labels
Bug OAuth2-Provider This impact the provider part of OAuth2
Projects
None yet
Milestone
3.0.1
Development

No branches or pull requests
3 participants
@raphaelm @aodag @JonathanHuot