Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token revoke endpoint & public clients #12053

Open
Kichiyaki opened this issue Nov 16, 2024 · 1 comment
Open

Token revoke endpoint & public clients #12053

Kichiyaki opened this issue Nov 16, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@Kichiyaki
Copy link

Describe the bug
It's not possible to revoke a token via /application/o/revoke/ without providing client_secret for public clients.

To Reproduce
Steps to reproduce the behavior:

  1. Create an oauth2 provider with client type=public.
  2. Authorize using the created provider.
  3. Generate tokens.
  4. Try revoking the access/refresh token via /application/o/revoke/.

Expected behavior
Public clients can revoke a token via /application/o/revoke/ without providing client_secret.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs
Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

  • authentik version: 2024.10.2
  • Deployment: docker-compose

Additional context
The RFC states that a client's request must contain a valid client_id, in the case of a public client, or valid client credentials, in the case of a confidential client.

I believe the culprit is this function: https://github.com/goauthentik/authentik/blob/main/authentik/providers/oauth2/utils.py#L181.

@Kichiyaki Kichiyaki added the bug Something isn't working label Nov 16, 2024
@Kichiyaki
Copy link
Author

Workaround: change client type to confidential and set client_secret to an empty string (via UI, I couldn't do it via Terraform) and change it back to public.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant