Cannot revoke and refresh token for aurth provider which supports only auth_methods client_secret_ba
Hi all,
I have auth provider which supports only auth_methods client_secret_basic
I use https://github.com/zitadel/oidc as client library to authorize a device
I have managed to get access token, however i cannot refresh and revoke the token
I found that basic auth header is not added to refresh and revoke requests
However the header added to DeviceAuthorization and DeviceAccessToken requests
if request.ClientSecret != "" {
req.SetBasicAuth(request.ClientID, request.ClientSecret)
}
Could you pleas help me to understand whether it is a bug or by design?
If it is a bug i can provide PR
GitHub
GitHub - zitadel/oidc: Easy to use OpenID Connect client and server...
Easy to use OpenID Connect client and server library written for Go and certified by the OpenID Foundation - zitadel/oidc
11 Replies
Hi @myroslav, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. [OpenID Connect Endpoints in ZITADEL] (1) :
Describes that when using the token and revocation endpoints with client_secret_basic, the client_id and client_secret must be sent as a Basic Auth header for both refresh and revoke requests. 2. [How to revoke an Access Token/Refresh Token] (2) :
Explains that additional parameters or headers may be needed on the revoke endpoint depending on your authentication method, and specifically links to the need for correct Basic Auth handling. ​ To learn more, see the sources I considered: [1] OpenID Connect Endpoints in ZITADEL [2] How to revoke an Access Token/Refresh Token ​ Feel free to tag @Ask Inkeep with additional questions.
Describes that when using the token and revocation endpoints with client_secret_basic, the client_id and client_secret must be sent as a Basic Auth header for both refresh and revoke requests. 2. [How to revoke an Access Token/Refresh Token] (2) :
Explains that additional parameters or headers may be needed on the revoke endpoint depending on your authentication method, and specifically links to the need for correct Basic Auth handling. ​ To learn more, see the sources I considered: [1] OpenID Connect Endpoints in ZITADEL [2] How to revoke an Access Token/Refresh Token ​ Feel free to tag @Ask Inkeep with additional questions.
hey @myroslav thanks for your question, I will look into it and will get back to you, what version are you on?
thank you @Rajat
i am on v3.44.0
hey @myroslav apologies for the delay, I will get back to you tlater today/early tomorrow. 🙂
Thank you, @Rajat
hi @Rajat, did you have a chance to look at my question?
hey @myroslav looking into it rn
hey @myroslav I think you are correct, here's the proof we need the Basic auth when refreshing token I believe.
IETF Datatracker
RFC 6749: The OAuth 2.0 Authorization Framework
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification repla...
Thank you @Rajat i will provide PR in a few days
🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1346540274674827395>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀
Hi @Rajat
Here is my PR https://github.com/zitadel/oidc/pull/803
Could you please look at it
I am happy to hear feedback and adjust the PR
Also i am going to look at test and add checks for auth headers if it is possible
However i will do a bit late
GitHub
fix: add auth_methods client_secret_basic for refresh token and rev...
I have auth provider which supports only auth_methods client_secret_basic
I found that in this case refresh token and revoke token requests do not works
Because basic auth header missed in appropri...
hey @myroslav first of all thanks a lot for the PR, this will get reviewed by the engineers, you will see it in replies 🙂