门卫撤销令牌

Question

I'm implementing OAuth 2 in my application, and i already have Login/Refresh Token but i'm having some troubles with logout.

I have this set of routes generates by Doorkeeper:

Routes for Doorkeeper::Engine:
          authorization GET    /authorize(.:format)                   doorkeeper/authorizations#new
          authorization POST   /authorize(.:format)                   doorkeeper/authorizations#create
          authorization DELETE /authorize(.:format)                   doorkeeper/authorizations#destroy
                  token POST   /token(.:format)                       doorkeeper/tokens#create
           applications GET    /applications(.:format)                doorkeeper/applications#index
                        POST   /applications(.:format)                doorkeeper/applications#create
        new_application GET    /applications/new(.:format)            doorkeeper/applications#new
       edit_application GET    /applications/:id/edit(.:format)       doorkeeper/applications#edit
            application GET    /applications/:id(.:format)            doorkeeper/applications#show
                        PUT    /applications/:id(.:format)            doorkeeper/applications#update
                        DELETE /applications/:id(.:format)            doorkeeper/applications#destroy
authorized_applications GET    /authorized_applications(.:format)     doorkeeper/authorized_applications#index
 authorized_application DELETE /authorized_applications/:id(.:format) doorkeeper/authorized_applications#destroy

What i want to do is revoke a token in the server, so i think the service that i must call is "DELETE /authorize" right? but i try a lot of differents ways to consume this services and i only recibe errors.

By the way, i don't know if is correct to revoke the token in the server or only delete it from the application ?

PS: I'm using AFNetworking 2 in iOS 7 for my client.

Answer 1

This does not really answer the question, but provides related information.

I had the issue where doorkeeper would validate any user/password combination on a Resource Owner Password Credentials Grant request after having made any prior authorization to a valid user/password combination. Scenario was:

• client gets authorization using valid user name and password
• client resets/forgets authorization token in order to end authorization
• client can get a new authorization using any user name and password, authorizes for the original user.

This turned out to be Warden keeping the authorized user in a session, and my iOS client happily maintaining the session for me.

I solved this by having warden immediately sign-out the user after authenticating. This works because, on an authorized request, OAuth gets the current user stored with the authorization token. It does not need to have the user in a session.

The following is from config/initializers/doorkeeper.rb. The last two lines do the sign-out after authorization.

# called for Resource Owner Password Credentials Grant
  resource_owner_from_credentials do
  request.params[:user] = {:email => request.params[:username], :password => request.params[:password]}
  request.env["devise.allow_params_authentication"] = true
  user = request.env["warden"].authenticate!(:scope => :user)
  env['warden'].logout
  user
end 

Answer 2

If I get you correctly the issue is 1) User goes to the client application, clicks log in 2) client applications gets authentication from the oauth-server. user is asked for username/password at this time 3) user clicks logout in client application 4) user clicks login again in client application, and it automatically signs him in using the old authenticated token rather than asking for username and pw again, which is what you want.

If that's your problem, it has to do with cookies. Check the cookies being sent in each request. In my case, I had to add a line

cookies.delete '_oauth_server_name_session'

and it worked then. You can confirm it's a cookie issue first because if you switch browsers (or go into incognito mode) this won't happen.