Refreshing a revoked access token throws an error 500 #585
Comments
|
As a stopgap, could you do something like the following: This would of course be for revoking every refresh token (I haven't tested it but it works for access tokens at least, if you replace the "refresh"s with "access") |
|
I've also ran into this. It looks like this cannot be mitigated without adding the scope to the RefreshToken model as well? |
|
We're mitigating like this on our access token model currently: |
- [x] Application management - [x] Link - [ ] Tests - [x] Authorize flow - [x] Tests - [x] Refresh token handling - [x] Tests - [x] Revocation endpoint - [x] Tests - [x] Mitigate: jazzband/django-oauth-toolkit#585 - [x] API authenticator / permission driver - [x] Test - [x] Enforce organizer restriction - [x] Tests - [x] Enforce scope restriction - [x] Tests - [x] Show current applications to user - [x] Revoke - [x] Tests - [x] Log new authorizations - [x] notify user - [x] Ensure other grant types are not available - [x] Documentation - [x] check if revoking access toking, then refreshing gets rid of organizer constraint - [x] Show logentry foo
fixes jazzband#585 Note that there are no integration tests, so the unit tests don't actually show the 500 error that would have been seen with a call to oauth2_provider/oauth2_backends.py:create_token_response.
|
I've implemented a fix for this: #620 |
fixes jazzband#585 Note that there are no integration tests, so the unit tests don't actually show the 500 error that would have been seen with a call to oauth2_provider/oauth2_backends.py:create_token_response.
|
FYI: My fix turned out to not be a fix, because I just replicated a bug in 0.12.0 that would return a 401. I think the real fix would be to allow the refresh token, which itself was not revoked, to continue to work. I'm not sure of the correct fix, but it might be to store the refresh token's scope, and not rely on an associated access token to determine the original scope. |
That would be option A, option B would be adding a |
|
Agreed. Not sure which approach is better. I need to move on, but hopefully this is more clear for someone to pick up. |
|
Any progress on this? I have just run into this myself upgrading from |
|
No progress that I am aware of. The options continue to be: See my previous PR if you want much more detail around the bug with code references: #620. Good luck @keattang. |
|
@robrap Is there a consensus on which to go with? I'd prefer not to write something and then it be decided that it's not the correct approach |
|
Not sure if @jleclanche could give thumbs-up on an approach before you start. I agree with wanting to know which way to go first. |
|
I don't have an ultimate say on DOT, but option B sounds better to me. |
|
related to #839 |
Assuming option B is taken, can I take it that the cascade would be changed from null-on-cascade to delete-on-cascade? |
When you revoke an access token and try to refresh it afterwards, you end up with an error 500.
This seems to be related to the
get_original_scopesmethod ofoauth2_provider/oauth2_validators.pywhich tries to retrieve the access token related to the refresh token. However, since it was revoked, it no longer exists and Django throws aDoesNotExistserror which isn't catch.When we revoke an access token, maybe we should revoke refresh tokens too ? Or we could add a clause to the queryset on
validate_refresh_tokenmethod to exclude refresh token withoutaccess_token.The text was updated successfully, but these errors were encountered: