From 35dbb5a59a4e6ff971a46b0cba7738ae177801d5 Mon Sep 17 00:00:00 2001 From: Ajay Bura <32841439+ajbura@users.noreply.github.com> Date: Mon, 22 Aug 2022 10:35:05 +0530 Subject: [PATCH 1/5] Fix logout not revoking oidc access token --- src/matrix/Client.js | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/src/matrix/Client.js b/src/matrix/Client.js index 8c1503e0..027fd931 100644 --- a/src/matrix/Client.js +++ b/src/matrix/Client.js @@ -481,25 +481,30 @@ export class Client { throw new Error(`Could not find session for id ${this._sessionId}`); } try { - const hsApi = new HomeServerApi({ - homeserver: sessionInfo.homeServer, - accessToken: sessionInfo.accessToken, - request: this._platform.request - }); - await hsApi.logout({log}).response(); - const oidcApi = new OidcApi({ - issuer: sessionInfo.oidcIssuer, - clientConfigs: this._platform.config.oidc.clientConfigs, - clientId: sessionInfo.oidcClientId, - request: this._platform.request, - encoding: this._platform.encoding, - crypto: this._platform.crypto, - }); - await oidcApi.revokeToken({ token: sessionInfo.accessToken, type: "access" }); - if (sessionInfo.refreshToken) { - await oidcApi.revokeToken({ token: sessionInfo.refreshToken, type: "refresh" }); + if (sessionInfo.oidcIssuer) { + const oidcApi = new OidcApi({ + issuer: sessionInfo.oidcIssuer, + clientConfigs: this._platform.config.oidc.clientConfigs, + clientId: sessionInfo.oidcClientId, + request: this._platform.request, + encoding: this._platform.encoding, + crypto: this._platform.crypto, + }); + await oidcApi.revokeToken({ token: sessionInfo.accessToken, type: "access" }); + if (sessionInfo.refreshToken) { + await oidcApi.revokeToken({ token: sessionInfo.refreshToken, type: "refresh" }); + } + } else { + const hsApi = new HomeServerApi({ + homeserver: sessionInfo.homeServer, + accessToken: sessionInfo.accessToken, + request: this._platform.request + }); + await hsApi.logout({log}).response(); } - } catch (err) {} + } catch (err) { + console.error(err) + } await this.deleteSession(log); }); } From b24e293a8e8e86aa3b94b7d6155c9861d53d9a82 Mon Sep 17 00:00:00 2001 From: Ajay Bura <32841439+ajbura@users.noreply.github.com> Date: Mon, 22 Aug 2022 10:36:08 +0530 Subject: [PATCH 2/5] Fix revokeToken false after getting response. --- src/matrix/net/OidcApi.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/src/matrix/net/OidcApi.ts b/src/matrix/net/OidcApi.ts index b1e196b0..61b3be7d 100644 --- a/src/matrix/net/OidcApi.ts +++ b/src/matrix/net/OidcApi.ts @@ -325,7 +325,6 @@ export class OidcApi { const req = this._requestFn(revocationEndpoint, { method: "POST", headers, - format: "json", body, }); From aacb4342c56fb2fd6a369f5c157d8fb05a7fd716 Mon Sep 17 00:00:00 2001 From: Ajay Bura <32841439+ajbura@users.noreply.github.com> Date: Mon, 22 Aug 2022 10:48:05 +0530 Subject: [PATCH 3/5] Fix revoke token type param --- src/matrix/Client.js | 4 ++-- src/matrix/net/OidcApi.ts | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/matrix/Client.js b/src/matrix/Client.js index 027fd931..c1d48968 100644 --- a/src/matrix/Client.js +++ b/src/matrix/Client.js @@ -490,9 +490,9 @@ export class Client { encoding: this._platform.encoding, crypto: this._platform.crypto, }); - await oidcApi.revokeToken({ token: sessionInfo.accessToken, type: "access" }); + await oidcApi.revokeToken({ token: sessionInfo.accessToken, type: "access_token" }); if (sessionInfo.refreshToken) { - await oidcApi.revokeToken({ token: sessionInfo.refreshToken, type: "refresh" }); + await oidcApi.revokeToken({ token: sessionInfo.refreshToken, type: "refresh_token" }); } } else { const hsApi = new HomeServerApi({ diff --git a/src/matrix/net/OidcApi.ts b/src/matrix/net/OidcApi.ts index 61b3be7d..e5c1838a 100644 --- a/src/matrix/net/OidcApi.ts +++ b/src/matrix/net/OidcApi.ts @@ -307,7 +307,7 @@ export class OidcApi { async revokeToken({ token, type, - }: { token: string, type: "refresh" | "access" }): Promise { + }: { token: string, type: "refresh_token" | "access_token" }): Promise { const revocationEndpoint = await this.revocationEndpoint(); if (!revocationEndpoint) { return; From 9bf26dadaef0d93cc189c1667fadde5e9757b9b8 Mon Sep 17 00:00:00 2001 From: Hugh Nimmo-Smith Date: Mon, 22 Aug 2022 10:46:28 +0100 Subject: [PATCH 4/5] fix: use correct param name for token_type_hint --- src/matrix/net/OidcApi.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/matrix/net/OidcApi.ts b/src/matrix/net/OidcApi.ts index e5c1838a..c9fc9134 100644 --- a/src/matrix/net/OidcApi.ts +++ b/src/matrix/net/OidcApi.ts @@ -314,7 +314,7 @@ export class OidcApi { } const params = new URLSearchParams(); - params.append("token_type", type); + params.append("token_type_hint", type); params.append("token", token); params.append("client_id", await this.clientId()); const body = params.toString(); From b602c16eb7997dbec36e39cf0ce0eb0031d39cac Mon Sep 17 00:00:00 2001 From: Hugh Nimmo-Smith Date: Mon, 22 Aug 2022 10:46:55 +0100 Subject: [PATCH 5/5] fix: try and revoke refresh token even if access token revocation fails --- src/matrix/Client.js | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/matrix/Client.js b/src/matrix/Client.js index c1d48968..05589606 100644 --- a/src/matrix/Client.js +++ b/src/matrix/Client.js @@ -490,7 +490,14 @@ export class Client { encoding: this._platform.encoding, crypto: this._platform.crypto, }); - await oidcApi.revokeToken({ token: sessionInfo.accessToken, type: "access_token" }); + + // if access token revocation fails then we still want to try and revoke the refresh token + try { + await oidcApi.revokeToken({ token: sessionInfo.accessToken, type: "access_token" }); + } catch (err) { + console.error(err); + } + if (sessionInfo.refreshToken) { await oidcApi.revokeToken({ token: sessionInfo.refreshToken, type: "refresh_token" }); }