Doorkeeper Revoke Token

Question

I'm implementing OAuth 2 in my application, and i already have Login/Refresh Token but i'm having some troubles with logout.

I have this set of routes generates by Doorkeeper:

Routes for Doorkeeper::Engine:
          authorization GET    /authorize(.:format)                   doorkeeper/authorizations#new
          authorization POST   /authorize(.:format)                   doorkeeper/authorizations#create
          authorization DELETE /authorize(.:format)                   doorkeeper/authorizations#destroy
                  token POST   /token(.:format)                       doorkeeper/tokens#create
           applications GET    /applications(.:format)                doorkeeper/applications#index
                        POST   /applications(.:format)                doorkeeper/applications#create
        new_application GET    /applications/new(.:format)            doorkeeper/applications#new
       edit_application GET    /applications/:id/edit(.:format)       doorkeeper/applications#edit
            application GET    /applications/:id(.:format)            doorkeeper/applications#show
                        PUT    /applications/:id(.:format)            doorkeeper/applications#update
                        DELETE /applications/:id(.:format)            doorkeeper/applications#destroy
authorized_applications GET    /authorized_applications(.:format)     doorkeeper/authorized_applications#index
 authorized_application DELETE /authorized_applications/:id(.:format) doorkeeper/authorized_applications#destroy

What i want to do is revoke a token in the server, so i think the service that i must call is "DELETE /authorize" right? but i try a lot of differents ways to consume this services and i only recibe errors.

By the way, i don't know if is correct to revoke the token in the server or only delete it from the application ?

PS: I'm using AFNetworking 2 in iOS 7 for my client.

Up-voted this question. My client will forget the token and refresh token no problem. Only the server still has an authenticated user. When the client authenticates again, it gets that user. Very likely this is something I'm doing wrong on the server side. Still, it seems that the server ought be informed that the token should no longer be honored. — Douglas Lovell, Feb 26 '14 at 04:02

score 5 · Answer 1 · edited Feb 08 '15 at 17:30

This does not really answer the question, but provides related information.

I had the issue where doorkeeper would validate any user/password combination on a Resource Owner Password Credentials Grant request after having made any prior authorization to a valid user/password combination. Scenario was:

client gets authorization using valid user name and password
client resets/forgets authorization token in order to end authorization
client can get a new authorization using any user name and password, authorizes for the original user.

This turned out to be Warden keeping the authorized user in a session, and my iOS client happily maintaining the session for me.

I solved this by having warden immediately sign-out the user after authenticating. This works because, on an authorized request, OAuth gets the current user stored with the authorization token. It does not need to have the user in a session.

The following is from config/initializers/doorkeeper.rb. The last two lines do the sign-out after authorization.

# called for Resource Owner Password Credentials Grant
  resource_owner_from_credentials do
  request.params[:user] = {:email => request.params[:username], :password => request.params[:password]}
  request.env["devise.allow_params_authentication"] = true
  user = request.env["warden"].authenticate!(:scope => :user)
  env['warden'].logout
  user
end

I'm pretty sure this can be fixed by instructing Warden to _not_ store the authenticated user in session. `user = request.env["warden"].authenticate!(scope: :user, store: false)` see: https://github.com/doorkeeper-gem/doorkeeper/issues/475#issuecomment-305517549 — stevenharman, Jul 12 '17 at 17:32
Since this logs out the user during the sign-in process, the token can't be refreshed (implicit grant, where you don't get a refresh token) and the user has to login again after a couple of hours (when the token expires). I want to logout this user when the user presses "Logout". Usual session#destroy does not work! Even a post-call to do warden.logout does not work! What should be done in this case? — Sagar Ranglani, May 10 '20 at 08:30
@SagarRanglani thank you for your question. I'm no longer using this software nor involved with any application that uses OAuth. On the surface, my response would be that you refer in your comment to a separate, unrelated issue. Token renewal is a different aspect of using OAuth. I cannot say either way about the relevance of this SO question and answers post to OAuth solutions currently on offer. — Douglas Lovell, Jun 01 '20 at 22:09

score 1 · Answer 2 · answered Jul 29 '15 at 08:37

If I get you correctly the issue is 1) User goes to the client application, clicks log in 2) client applications gets authentication from the oauth-server. user is asked for username/password at this time 3) user clicks logout in client application 4) user clicks login again in client application, and it automatically signs him in using the old authenticated token rather than asking for username and pw again, which is what you want.

If that's your problem, it has to do with cookies. Check the cookies being sent in each request. In my case, I had to add a line

cookies.delete '_oauth_server_name_session'

and it worked then. You can confirm it's a cookie issue first because if you switch browsers (or go into incognito mode) this won't happen.

Doorkeeper Revoke Token

2 Answers2