Delete refresh tokens from the user profile page [#2953200]

Hi,

When a refresh token is created, the user it's linked to is unkown and in the database 'auth_user_id' is 0 (annonymous).
I've spend some time trying different things but I cannot find a way how to delete someone's refresh token. I have a button on a users account page to revoke all tokens, this works for the auth_code and access_tokens but not the refresh token. Which mean they can just request a new access_token.

How can I remove a specific user's refresh token when there is no link to any uid? I know the information is inside the refresh_token but I can't decrypt it outside of the simple_oauth module. The use case is when a users phone is stolen, we need to force the user to login again.

SanderJP

Comments

Comment #1

15 March 2018 at 09:58

SanderJP created an issue. See original summary.

Comment #2

e0ipso

Catalan

Can Picafort

commented 17 March 2018 at 10:34

I have a button on a users account page to revoke all tokens, this works for the auth_code and access_tokens but not the refresh token.

It would be great to see this as a related contrib module! Do you happen to have the code available anywhere?

Comment #3

sanderjp commented 20 March 2018 at 09:18

The button is not that special, I hook into the user form and add a button. In the callback I grab the simple_oauth.expired_collector service and collect all tokens for the current account, and use deleteMultipleTokens(). I don't think that's enough for a submodule, but I could create a patch if you want.

But my question is why all the refresh tokens in the database are not connected to a user, is that normal? It's impossible to get the refresh token of given user with uid x, unless I'm missing something.

Comment #4

e0ipso

Catalan

Can Picafort

commented 24 March 2018 at 12:26

Title:

Cannot delete refresh tokens

» Delete refresh tokens from the user profile page

@SanderJP they have the information inside of the encrypted JWT.

It'd be great to have that patch here for others looking for this feature.

Comment #5

sanderjp commented 26 March 2018 at 07:45

I've added the button for an administrator to delete all the tokens of a user. So I don't have the session or JWT from the user when the button is clicked. So I'm not sure how to connect the uid from /user/[uid]/edit to a refresh token. I don't see any function to load a refresh token by uid.

As I said, I'm using deleteMultipleTokens() but this function never deletes refresh tokens (because they have no uid), so you cannot force someone to re-login at this point. They can always get a new access_token by their refresh token.

Comment #6

e0ipso

Catalan

Can Picafort

commented 26 March 2018 at 08:31

@SanderJP have you tried pasting your token in https://jwt.io? You'll see that the encoded string is a JSON document. Maybe the uid is in there.

Comment #7

sanderjp commented 28 March 2018 at 12:31

@e0ipso, to decrypt the JWT token in code, you need to go through the league oAuth2-server library, as you need the decryption key. I have not found a way to do this from the callback on the user edit page.

What I don't understand is that the access_token and the refresh_token are generated one after each other. The access_token is linked to a uid in the database, but the refresh_token is not. While both are executed within the same request. Any idea why that is?