Priority: Minor
Original Assignee: Dave Syer
Reporter: Harleen Sahni
Created At: Tue, 7 Jan 2014 21:19:50 +0000
Last Updated on Jira: Wed, 8 Jan 2014 14:47:05 +0000
Add support for the proposed standard for oauth2 revocation, basically support requests such as:
POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
to revoke tokens.
See http://tools.ietf.org/html/rfc7009
I think it might be a mistake to add support while the standard is still "proposed". All the pieces are there to build such an endpoint using ConsumerTokenServices, and the sparklr sample already has a version of it at /oauth/users/tokens/{token}. A pull request to convert that to /oauth/revoke with a form parameter might work, but the sparklr endpoint doesn't use Basic auth - it seems better to only permit revoking tokens that you actually own (as a user) so the existing endpoint is secured as an OAuth resource - so I'm not sure it would be a great idea just now.
Isn't the OAuth2 standard just a "proposed" standard? I think this would be a good feature to have in the library, or at least an example in sparklr that follows the spec (the existing example does not follow the spec).
The "OAuth 2.0 Token Revocation" [RFC7009] was published as an accepted Standard by the Internet Engineering Task Force (IETF) in August 2013 and is no longer a "proposed" standard.
@dfcoffin it still says "Proposed Standard" on all the links I found.
@dsyer
I posted the following inquiry on the IETF OAuth WG email server:
What is the official status of RFC 7009 Oauth 2.0 Token Revocation?
Is it still a proposed standard or has it been accepted as an internet standard. The document implies it became a standard in August 2013, but several sites, including the ISOC, list it as a proposed standard.
Best regards,
Don
Donald F. Coffin
Founder/CTO
REMI Networks
2335 Dunwoody Crossing Suite E
Dunwoody, GA 30338
Justin Richer a member of the IETF Oauth WG sent me the following response to my posting:
If you'll notice, RFC6749 is also Proposed Standard, as are most of the RFCs published out of IETF working groups. This is actually the final state for many protocols, and it's not until many years of wide deployment that things move up the classification stack.
So in short, yes, it's a standard.
-- Justin
Based on the above response can the implementation of [RFC 7009] OAuth 2.0 Token Revocation get scheduled for support by the Spring Security Oauth project?
+1 @dfcoffin. I may just go ahead and submit a PR to get this implemented. I already have a version of this that follows the spec for a local project. If you are interested in doing this yourself, you'll probably want to extend AuthorizationServerSecurityConfiguration and protect your revoke endpoint there (so it authenticates using client credentials vis HTTP basic, per the spec). Then go ahead and build a standard Spring MVC controller for /oauth/revoke. Here's a gist demonstrating this: https://gist.github.com/ccampo133/c3ae35a1fe5bfb794cc7
This was the best I could do without modifying the actual OAuth2 library itself. Hopefully this helps :).
+1
+1
+1
+1
+1
+1
+1
Is this on the roadmap yet?
+1
A DELETE method on the /auth/token endpoint would also be elegant
@dfcoffin As an FYI, we are limiting new features and only accepting bug fixes and minor enhancements as this project is in maintenance mode. Our efforts are focused on the new OAuth support we are building into Spring Security core project. We just released 5.0.0.M1 which provides support for the client-side and we hope to get to the server-side support soon.
Do we have any timelines on implementation of RFC 7009 in the near future?
@bas-velthuizen no it wouldn't. You cannot delete the /auth/token resource. It would need to be /auth/token/{token}.