Skip to content

OAuth2: Revocation with Basic auth no longer possible #644

New issue
New issue
Closed
Closed
OAuth2: Revocation with Basic auth no longer possible#644
Assignees
JonathanHuot
Labels
BugOAuth2-ProviderThis impact the provider part of OAuth2
Milestone
3.0.1
@raphaelm

Description

@raphaelm
raphaelm
opened on Jan 9, 2019

Describe the bug

When using the revocation endpoint, an error code 401 is returned even though client authentication is valid.

How to reproduce

  • Call RevocationEndpoint.create_revocation_response with a headers dictionary containing the client authorization.
  • Notice that this parameter is ignored completely. Clearly, it is overridden instantly:

oauthlib/oauthlib/oauth2/rfc6749/endpoints/revocation.py

Lines 41 to 67 in 20d116c

def create_revocation_response(self, uri, http_method='POST', body=None,
headers=None):
"""Revoke supplied access or refresh token.
The authorization server responds with HTTP status code 200 if the
token has been revoked sucessfully or if the client submitted an
invalid token.
Note: invalid tokens do not cause an error response since the client
cannot handle such an error in a reasonable way. Moreover, the purpose
of the revocation request, invalidating the particular token, is
already achieved.
The content of the response body is ignored by the client as all
necessary information is conveyed in the response code.
An invalid token type hint value is ignored by the authorization server
and does not influence the revocation response.
"""
headers = {
'Content-Type': 'application/json',
'Cache-Control': 'no-store',
'Pragma': 'no-cache',
}
request = Request(
uri, http_method=http_method, body=body, headers=headers)

Expected behavior

I expected this parameter to be respected

Additional context

  • OAuth2
  • This happened with django-oauth-toolkit after upgrading to oauthlib 3.0.0
  • We're implementing a provider

Metadata

Metadata

Assignees

Labels

BugOAuth2-ProviderThis impact the provider part of OAuth2

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions