Merge pull request #210 from oleeander/master

Revoke refresh_token and access_token on logout

Author: bodewig

AUTHORS

@@ -29,3 +29,4 @@ reporting bugs, providing fixes, suggesting useful features or other:
 	Donghang Lin <https://github.com/dhlin>
 	Arcadiy Ivanov <https://github.com/arcivanov>
 	Dmitriy Blok <https://github.com/dmitriyblok>
+	Oleander Reis <https://github.com/oleeander>

ChangeLog

@@ -1,3 +1,6 @@
+10/18/2018
+- add token revocation support on logout (opts.revoke_tokens_on_logout)
+
 10/16/2018
 - lua-resty-openidc now creates a new session whenever the token(s)
   are refreshed, trying to soften the impact when multiple requests

README.md

@@ -177,6 +177,10 @@ http {
              -- Connect provider that ignores the paramter as the
              -- id_token will be rejected otherwise.
 
+             --revoke_tokens_on_logout = false
+             -- When revoke_tokens_on_logout is set to true a logout notifies the authorization server that previously obtained refresh and access tokens are no longer needed. This requires that revocation_endpoint is discoverable.
+             -- If there is no revocation endpoint supplied or if there are errors on revocation the user will not be notified and the logout process continues normally.
+
              -- Optional : use outgoing proxy to the OpenID Connect provider endpoints with the proxy_opts table : 
              -- this requires lua-resty-http >= 0.12
              -- proxy_opts = {

lib/resty/openidc.lua

@@ -340,7 +340,8 @@ local function openidc_authorize(opts, session, target_url, prompt)
 end
 
 -- parse the JSON result from a call to the OP
-local function openidc_parse_json_response(response)
+local function openidc_parse_json_response(response, ignore_body_on_success)
+  local ignore_body_on_success = ignore_body_on_success or false
 
   local err
   local res
@@ -349,6 +350,10 @@ local function openidc_parse_json_response(response)
   if response.status ~= 200 then
     err = "response indicates failure, status=" .. response.status .. ", body=" .. response.body
   else
+    if ignore_body_on_success then
+      return nil, nil
+    end
+
     -- decode the response and extract the JSON object
     res = cjson_s.decode(response.body)
 
@@ -381,7 +386,8 @@ local function openidc_configure_proxy(httpc, proxy_opts)
 end
 
 -- make a call to the token endpoint
-function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name)
+function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name, ignore_body_on_success)
+  local ignore_body_on_success = ignore_body_on_success or false
 
   local ep_name = endpoint_name or 'token'
   local headers = {
@@ -441,7 +447,7 @@ function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name)
 
   log(DEBUG, ep_name .. " endpoint response: ", res.body)
 
-  return openidc_parse_json_response(res)
+  return openidc_parse_json_response(res, ignore_body_on_success)
 end
 
 -- make a call to the userinfo endpoint
@@ -1086,6 +1092,39 @@ local function openidc_authorization_response(opts, session)
   return nil, nil, session.data.original_url, session
 end
 
+-- token revocation (RFC 7009)
+local function openidc_revoke_token(opts, token_type_hint, token)
+  if not opts.discovery.revocation_endpoint then
+    log(DEBUG, "no revocation endpoint supplied. unable to revoke " .. token_type_hint .. ".")
+    return nil
+  end
+
+  local token_type_hint = token_type_hint or nil
+  local body = {
+    token = token
+  }
+  if token_type_hint then
+    body['token_type_hint'] = token_type_hint
+  end
+
+  -- ensure revocation endpoint auth method is properly discovered
+  err = ensure_config(opts)
+  if err then
+    log(ERROR, "revocation of " .. token_type_hint .. " unsuccessful: " .. err)
+    return false
+  end
+
+  -- call the revocation endpoint
+  _, err = openidc.call_token_endpoint(opts, opts.discovery.revocation_endpoint, body, opts.token_endpoint_auth_method, "revocation", true)
+  if err then
+    log(ERROR, "revocation of " .. token_type_hint .. " unsuccessful: " .. err)
+    return false
+  else
+    log(DEBUG, "revocation of " .. token_type_hint .. " successful")
+    return true
+  end
+end
+
 local openidc_transparent_pixel = "\137\080\078\071\013\010\026\010\000\000\000\013\073\072\068\082" ..
     "\000\000\000\001\000\000\000\001\008\004\000\000\000\181\028\012" ..
     "\002\000\000\000\011\073\068\065\084\120\156\099\250\207\000\000" ..
@@ -1095,7 +1134,17 @@ local openidc_transparent_pixel = "\137\080\078\071\013\010\026\010\000\000\000\
 -- handle logout
 local function openidc_logout(opts, session)
   local session_token = session.data.enc_id_token
+  local access_token = session.data.access_token
+  local refresh_token = session.data.refresh_token
   session:destroy()
+
+  if opts.revoke_tokens_on_logout then
+    log(DEBUG, "revoke_tokens_on_logout is enabled. " ..
+      "trying to revoke access and refresh tokens...")
+    openidc_revoke_token(opts, "refresh_token", refresh_token)
+    openidc_revoke_token(opts, "access_token", access_token)
+  end
+
   local headers = ngx.req.get_headers()
   local header = headers['Accept']
   if header and header:find("image/png") then

tests/spec/logout_spec.lua

@@ -365,3 +365,190 @@ describe("when logout is invoked and discovery contains ping_end_session_endpoin
   end)
 end)
 
+describe("when revoke_tokens_on_logout is enabled and a valid revocation endpoint is supplied with auth method client_secret_basic", function()
+  test_support.start_server({
+    oidc_opts = {
+      revoke_tokens_on_logout = true,
+      discovery = {
+        revocation_endpoint = "http://127.0.0.1/revocation",
+        token_endpoint_auth_methods_supported = { "foo", "client_secret_post", "client_secret_basic" }
+      },
+      token_endpoint_auth_method = "client_secret_basic"
+    }
+  })
+  teardown(test_support.stop_server)
+  local _, _, cookie = test_support.login()
+  local _, status, headers = http.request({
+      url = "http://127.0.0.1/default/logout",
+      headers = { cookie = cookie },
+      redirect = false
+  })
+  it("the response contains a default HTML-page", function()
+    assert.are.equals(200, status)
+    assert.are.equals("text/html", headers["content-type"])
+  end)
+
+  it("the session cookie has been revoked", function()
+    assert.truthy(string.match(headers["set-cookie"],
+                               "session=; Expires=Thu, 01 Jan 1970 00:00:01 GMT.*"))
+  end)
+
+  it("authorization credentials have not been passed on as post parameters to the revocation endpoint", function()
+    assert.is_not.error_log_contains("Received revocation request: .*client_id")
+  end)
+
+  it("authorization header has been passed on to the revocation endpoint", function()
+    assert.error_log_contains("revocation authorization header: Basic .+")
+  end)
+
+  it("token to be revoked has been passed on as a post parameter to the revocation endpoint", function()
+    assert.error_log_contains("Received revocation request: .*token=.+")
+  end)
+
+  it("debug messages concerning successful revocation have been logged", function()
+    assert.error_log_contains("revocation of refresh_token successful")
+    assert.error_log_contains("revocation of access_token successful")
+  end)
+end)
+
+describe("when revoke_tokens_on_logout is enabled and a valid revocation endpoint is supplied with auth method client_secret_post", function()
+  test_support.start_server({
+    oidc_opts = {
+      revoke_tokens_on_logout = true,
+      discovery = {
+        revocation_endpoint = "http://127.0.0.1/revocation",
+        token_endpoint_auth_methods_supported = { "foo", "client_secret_basic", "client_secret_post" }
+      },
+      token_endpoint_auth_method = "client_secret_post"
+    }
+  })
+  teardown(test_support.stop_server)
+  local _, _, cookie = test_support.login()
+  local _, status, headers = http.request({
+      url = "http://127.0.0.1/default/logout",
+      headers = { cookie = cookie },
+      redirect = false
+  })
+  it("the response contains a default HTML-page", function()
+    assert.are.equals(200, status)
+    assert.are.equals("text/html", headers["content-type"])
+  end)
+
+  it("the session cookie has been revoked", function()
+    assert.truthy(string.match(headers["set-cookie"],
+                               "session=; Expires=Thu, 01 Jan 1970 00:00:01 GMT.*"))
+  end)
+
+  it("authorization header has not been passed on to the revocation endpoint", function()
+    assert.is_not.error_log_contains("revocation authorization header: Basic")
+  end)
+
+  it("authorization credentials have been passed on as post parameters to the revocation endpoint", function()
+    assert.error_log_contains("Received revocation request: .*client_id=.+")
+  end)
+
+  it("token to be revoked has been passed on as a post parameter to the revocation endpoint", function()
+    assert.error_log_contains("Received revocation request: .*token=.+")
+  end)
+
+  it("debug messages concerning successful revocation have been logged", function()
+    assert.error_log_contains("revocation of refresh_token successful")
+    assert.error_log_contains("revocation of access_token successful")
+  end)
+end)
+
+describe("when revoke_tokens_on_logout is enabled and an invalid revocation endpoint is supplied", function()
+  test_support.start_server({
+    oidc_opts = {
+      revoke_tokens_on_logout = true,
+      discovery = {
+        revocation_endpoint = "http://127.0.0.1/invalid_revocation"
+      }
+    }
+  })
+  teardown(test_support.stop_server)
+  local _, _, cookie = test_support.login()
+  local _, status, headers = http.request({
+      url = "http://127.0.0.1/default/logout",
+      headers = { cookie = cookie },
+      redirect = false
+  })
+  it("the response still contains a default HTML-page", function()
+    assert.are.equals(200, status)
+    assert.are.equals("text/html", headers["content-type"])
+  end)
+
+  it("the session cookie still has been revoked", function()
+    assert.truthy(string.match(headers["set-cookie"],
+                               "session=; Expires=Thu, 01 Jan 1970 00:00:01 GMT.*"))
+  end)
+
+  it("error messages concerning unseccussful revocation have been logged", function()
+    assert.error_log_contains("revocation of refresh_token unsuccessful")
+    assert.error_log_contains("revocation of access_token unsuccessful")
+  end)
+end)
+
+describe("when revoke_tokens_on_logout is enabled but no revocation endpoint is supplied", function()
+  test_support.start_server({
+    oidc_opts = {
+      revoke_tokens_on_logout = true,
+      discovery = {
+        revocation_endpoint = nil
+      }
+    }
+  })
+  teardown(test_support.stop_server)
+  local _, _, cookie = test_support.login()
+  local _, status, headers = http.request({
+      url = "http://127.0.0.1/default/logout",
+      headers = { cookie = cookie },
+      redirect = false
+  })
+  it("the response still contains a default HTML-page", function()
+    assert.are.equals(200, status)
+    assert.are.equals("text/html", headers["content-type"])
+  end)
+
+  it("the session cookie still has been revoked", function()
+    assert.truthy(string.match(headers["set-cookie"],
+                               "session=; Expires=Thu, 01 Jan 1970 00:00:01 GMT.*"))
+  end)
+
+  it("debug messages concerning unseccussful revocation have been logged", function()
+    assert.error_log_contains("no revocation endpoint supplied. unable to revoke refresh_token")
+    assert.error_log_contains("no revocation endpoint supplied. unable to revoke access_token")
+  end)
+end)
+
+describe("when revoke_tokens_on_logout is not defined and a revocation_endpoint is given", function()
+  test_support.start_server({
+    oidc_opts = {
+      revoke_tokens_on_logout = nil,
+      discovery = {
+        revocation_endpoint = "http://127.0.0.1/revocation"
+      }
+    }
+  })
+  teardown(test_support.stop_server)
+  local _, _, cookie = test_support.login()
+  local _, status, headers = http.request({
+      url = "http://127.0.0.1/default/logout",
+      headers = { cookie = cookie },
+      redirect = false
+  })
+  it("the response still contains a default HTML-page", function()
+    assert.are.equals(200, status)
+    assert.are.equals("text/html", headers["content-type"])
+  end)
+
+  it("the session cookie still has been revoked", function()
+    assert.truthy(string.match(headers["set-cookie"],
+                               "session=; Expires=Thu, 01 Jan 1970 00:00:01 GMT.*"))
+  end)
+
+  it("no messages concerning revocation have been logged", function()
+    assert.is_not.error_log_contains("revocation")
+    assert.is_not.error_log_contains("revoke")
+  end)
+end)

tests/spec/test_support.lua

@@ -370,6 +370,23 @@ JWT_SIGN_SECRET]=]
                 end
             }
         }
+
+        location /revocation {
+            content_by_lua_block {
+                ngx.req.read_body()
+                ngx.log(ngx.ERR, "Received revocation request: " .. ngx.req.get_body_data())
+                local auth = ngx.req.get_headers()["Authorization"]
+                ngx.log(ngx.ERR, "revocation authorization header: " .. (auth and auth or ""))
+                local cookie = ngx.req.get_headers()["Cookie"]
+                if not cookie then
+                  ngx.log(ngx.ERR, "no cookie in introspection call")
+                end
+                ngx.header.content_type = 'application/json;charset=UTF-8'
+                delay(REVOCATION_DELAY_RESPONSE)
+                ngx.status = 200
+                ngx.say('INVALID JSON.')
+            }
+        }
     }
 }
 ]]
@@ -450,6 +467,7 @@ local function write_config(out, custom_config)
     :gsub("DISCOVERY_DELAY_RESPONSE", ((custom_config["delay_response"] or {}).discovery or DEFAULT_DELAY_RESPONSE))
     :gsub("USERINFO_DELAY_RESPONSE", ((custom_config["delay_response"] or {}).userinfo or DEFAULT_DELAY_RESPONSE))
     :gsub("INTROSPECTION_DELAY_RESPONSE", ((custom_config["delay_response"] or {}).introspection or DEFAULT_DELAY_RESPONSE))
+    :gsub("REVOCATION_DELAY_RESPONSE", ((custom_config["delay_response"] or {}).revocation or DEFAULT_DELAY_RESPONSE))
     :gsub("JWK", custom_config["jwk"] or DEFAULT_JWK)
     :gsub("USERINFO", serpent.block(userinfo, {comment = false }))
     :gsub("FAKE_ACCESS_TOKEN_SIGNATURE", custom_config["fake_access_token_signature"] or DEFAULT_FAKE_ACCESS_TOKEN_SIGNATURE)