Cannot revoke and refresh token for aurth provider which supports only auth_methods client_secret_ba
Hi all,
I have auth provider which supports only auth_methods client_secret_basic
I use https://github.com/zitadel/oidc as client library to authorize a device
I have managed to get access token, however i cannot refresh and revoke the token
I found that basic auth header is not added to refresh and revoke requests
However the header added to DeviceAuthorization and DeviceAccessToken requests
if request.ClientSecret != "" {
req.SetBasicAuth(request.ClientID, request.ClientSecret)
}
Could you pleas help me to understand whether it is a bug or by design?
If it is a bug i can provide PR
GitHub
GitHub - zitadel/oidc: Easy to use OpenID Connect client and server...
Easy to use OpenID Connect client and server library written for Go and certified by the OpenID Foundation - zitadel/oidc
3 Replies
Hi @myroslav, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. [OpenID Connect Endpoints in ZITADEL] (1) :
Describes that when using the token and revocation endpoints with client_secret_basic, the client_id and client_secret must be sent as a Basic Auth header for both refresh and revoke requests. 2. [How to revoke an Access Token/Refresh Token] (2) :
Explains that additional parameters or headers may be needed on the revoke endpoint depending on your authentication method, and specifically links to the need for correct Basic Auth handling. To learn more, see the sources I considered: [1] OpenID Connect Endpoints in ZITADEL [2] How to revoke an Access Token/Refresh Token Feel free to tag @Ask Inkeep with additional questions.
Describes that when using the token and revocation endpoints with client_secret_basic, the client_id and client_secret must be sent as a Basic Auth header for both refresh and revoke requests. 2. [How to revoke an Access Token/Refresh Token] (2) :
Explains that additional parameters or headers may be needed on the revoke endpoint depending on your authentication method, and specifically links to the need for correct Basic Auth handling. To learn more, see the sources I considered: [1] OpenID Connect Endpoints in ZITADEL [2] How to revoke an Access Token/Refresh Token Feel free to tag @Ask Inkeep with additional questions.
hey @myroslav thanks for your question, I will look into it and will get back to you, what version are you on?
thank you @Rajat
i am on v3.44.0