Twitch token '/revoke' endpoint is a POST request, and requires the originally issued Auth token

[ipat8]

** Please DO NOT post config and logs to this issue, use a Gist**
Config Gist
Service Output

Describe the problem
Twitch expects a POST request, not a redirect to https://id.twitch.tv/oauth2/revoke to log out a user. Vouch sends the user to the site and drops them at a 200 Ok page with no way to redirect.

Expected behavior
Vouch makes the request for the user on the backend when they hit the /logout endpoint and redirects them to an arbitrary page when it receives the 200 response.

Desktop (please complete the following information):

• OS: Windows
• Browser: Chrome, FF
• Version: 108, 107

Additional context
My main goal here is to have a fully working auth flow with twitch. Eg, a user can sign in, use the app, and sign out, but at sign out they should get redirected back to my main page after revoking their twitch token.

[bnfinet]

I'm not able to look at this closely at the moment but I think there's a way to create an endpoint in nginx to receive a redirect from Vouch Proxy that will then generate a post to twitch. Might need to carry the auth token in a variable somehow.

https://marekfoss.org/2020/03/22/how-to-rewrite-or-redirect-post-requests-in-apache-and-nginx/

I'll take a closer look later

[ipat8]

Might need to carry the auth token in a variable somehow.

That's my sticking point. I was trying to do this in PHP but the auth token is only exposed in the id.twitch.tv cookie, so I can't read it to perform the POST on the user's behalf. I'll look into the idea of the Nginx redirect, but any help from your side is also appreciated!

[bnfinet]

@ipat8 yeah at this point that's going to require storing the token outside of VP and making an independent call to twitch/revoke

Revocation is a bit beyond the scope of what VP usually does. VP is not very concerned with the management of the IdP's token(s). If the IdP passes you back as authenticated then VP will authorize access. VP does not require the IdPs token for that transaction.

That said, the IdPs auth token can be passed down to the underlying app in an HTTP header, so to that extent perhaps it's of concern to manage it's lifecycle.

I could see this being a new feature of VP that gets baked into twitch specific provider logic.

I can't find anything in the spec that suggest that an IdP's /revoke should be handled as a POST.

I'm a little hesitant to say "PRs welcome" but maybe I'm talking my way into that.

[ipat8]

@bnfinet A few further questions & answers then:

If the IdP passes you back as authenticated then VP will authorize access. VP does not require the IdPs token for that transaction.

Would I be able to deploy something like KeyCloak as a intermediary between vouch and twitch, and have KeyCloak handle the logout? (I realize that's outside of your scope, but a general question).

That said, the IdPs auth token can be passed down to the underlying app in an HTTP header, so to that extent perhaps it's of concern to manage it's lifecycle.

How would I go about doing this? I already pass a few of the claims into the HTTP header, but I have been unable to find what I should be using to pass the auth token. If I can pass it to an HTTP header, I can solve it with PHP from there. https://dev.twitch.tv/docs/authentication/getting-tokens-oidc#requesting-claims shows a list of claims I can request, and I don't see the app token in there.

I can't find anything in the spec that suggest that an IdP's /revoke should be handled as a POST.

https://dev.twitch.tv/docs/authentication/revoke-tokens & https://discuss.dev.twitch.tv/t/oidc-logout-uri-redirect/42272
Seems like a twitch specific token revocation mechanism. I asked the question on the twitch forums because I couldn't find where they indicated that it HAD to be a POST request for it to work properly, but based on my testing once you hit the /revoke endpoint nothing else happens with the request.

I'm a little hesitant to say "PRs welcome" but maybe I'm talking my way into that.

I know enough GO to be able to compile things, but if there is already an existing example of storing the auth token to make requests on the user's behalf I can try and see if I could mangle it into doing it for twitch.

[stephenlf-ems]

Bumping this issue somewhat. I have the same issue, except I'm trying to implement sign out behavior for our Google provider.

As per Google's documentation, the Google oauth endpoint (https://oauth2.googleapis.com/revoke) accepts only POST requests (Header value Content-type:application/x-www-form-urlencoded with the query parameter ?token={access_token}. Unfortunately, I can't seem to pull the access token from Vouch. The accesstoken: X-Vouch-IdP-AccessToken header is missing.

I'll open up another issue, but it seems like this revoke behavior extends beyond just Twitch.

[ipat8]

I'd argue that it's the same issue, but maybe the issue should be more general. Providing the token would be extremely useful as a feature.

[stephenlf-ems]

I was able to pull the original auth token by setting vouch.headers.accesstoken to X-Vouch-IdP-AccessToken. Turns out I just had a bad config file before 🙄 . Unfortunately, this means the Vouch's JWT is going to be extra big, since Vouch has to bake that header into the Vouch Cookie. I believe there's room for improvement there.

In the meantime, I should be able to pull that X-Vouch-IdP-AccessToken header and submit a revoke request server-side. I think that's possible with NGINX. If I get a functional config working, I'll submit a PR with the solution and ping this thread again. Keep in mind I'm using Google provider, not Twitch.

[stephenlf]

Here is the solution I found for google. I'm sure it can be tweaked for Twitch as well.

#543