feat: Implement RFC 7009 token revocation endpoint (#25)#40
Open
alexlovelltroy wants to merge 1 commit into
Open
feat: Implement RFC 7009 token revocation endpoint (#25)#40alexlovelltroy wants to merge 1 commit into
alexlovelltroy wants to merge 1 commit into
Conversation
Adds token revocation capability per RFC 7009 (OAuth 2.0 Token Revocation) to enable explicit token invalidation before expiry. This is foundational for Issue #37 (parent-child token cascade revocation). ## Core Implementation **RevocationStore** (pkg/tokenservice/revocation.go): - Thread-safe in-memory JTI blocklist with RWMutex protection - Auto-pruning of expired entries on IsRevoked() checks - Manual Prune() for periodic cleanup - Stores revoked JTIs with their original expiry timestamps **HTTP Endpoint** (POST /oauth/revoke): - RFC 7009 Section 2.2 compliant: returns 200 OK for all requests (valid, invalid, or already-revoked tokens) to prevent token scanning - Form-encoded parameter: token (required), token_type_hint (optional) - Extracts JTI from parsed token and adds to revocation store **Middleware Integration** (pkg/authn/middleware.go): - Added RevocationChecker interface for IsRevoked(jti) checks - Integrated check after signature verification and claims validation - Returns 401 Unauthorized with 'token has been revoked' for revoked JTIs ## Test Coverage **RevocationStore Tests**: - Thread safety with 100 concurrent goroutines (Revoke, IsRevoked, Prune) - Auto-pruning on IsRevoked() checks - Manual Prune() correctness and memory cleanup - Race condition testing (IsRevoked while Pruning) - Size tracking and expiry handling **Handler Tests** (RFC 7009 compliance): - Returns 200 OK for valid tokens (with revocation) - Returns 200 OK for invalid/malformed tokens (per RFC 7009 Section 2.2) - Returns 200 OK for already-revoked tokens (idempotent) - Returns 400 Bad Request for missing token parameter - Returns 405 Method Not Allowed for non-POST requests - Verifies tokens remain revoked until original expiry ## Security Properties - Fail-closed: middleware rejects revoked tokens after verification - Token scanning prevention: always returns 200 OK (RFC 7009 Section 2.2) - Memory bounded: auto-pruning removes expired entries - Race-safe: RWMutex protects concurrent access ## Future Work This implementation enables Issue #37 (parent-child tokens with cascade revocation). When a parent token is revoked, the family hierarchy can be traversed to revoke all descendant tokens. Closes #25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds token revocation capability per RFC 7009 (OAuth 2.0 Token Revocation) to enable explicit token invalidation before expiry. This is foundational for Issue #37 (parent-child token cascade revocation).
Core Implementation
RevocationStore (pkg/tokenservice/revocation.go):
HTTP Endpoint (POST /oauth/revoke):
Middleware Integration (pkg/authn/middleware.go):
Test Coverage
RevocationStore Tests:
Handler Tests (RFC 7009 compliance):
Security Properties
Future Work
This implementation enables Issue #37 (parent-child tokens with cascade revocation). When a parent token is revoked, the family hierarchy can be traversed to revoke all descendant tokens.
Closes #25
Pull Request Template
Thank you for your contribution! Please ensure the following before submitting:
Checklist
make test(or equivalent) locally and all tests passgit commit -s) with my real name and email<filename>.licensesidecarLICENSES/directoryDescription
Please include a summary of the change and which issue is fixed.
Also include relevant motivation and context.
Fixes #(issue)
Type of Change
For more info, see Contributing Guidelines.