How to add Token Revocation to PhenixID Authentication Services OAuth2 Authorization Server
Prerequisites
- PAS 3.0 or higher installed
- OpenID Connect Provider configured using Scenarios->OIDC
- The PhenixID OIDC token endpoint must have returned an OAuth2 access_token, which value is bound to the session as an alias.
Add token revocation as an allowed operation
- Login to configuration manager
- Click the Advanced tab
- Open Modules (click on the pen)
- Locate the api module (com.phenixidentity~phenix-api-authenticate)
- Locate the tenant for the OpenID Connect Provider configured
- Add revoke as an allowed operation.
Example:
{
"module": "com.phenixidentity~phenix-api-authenticate",
"enabled": "true",
"config": {
"tenant": [
{
"id": "t1",
"displayName": "Tenant1",
"allowedOperation": [
"revoke"
]
}
]
},
"id": "authapi_module"
}NB! If you have multiple logical OpenID Connect Providers (=tenants) and you would like to configure different token revocation logic for different providers, then rename revoke to something unique for the tenant, for example revoke_t1. Also make sure to set the pipe id to the same value (see later step).
- Click Stage Changes and Commit Changes
Add pipe to perform token revocation
- Click the Advanced tab
- Open Pipes (click on the pen)
- Add this pipe.
{
"id": "revoke",
"description": "Token revocation",
"valves": [
{
"name": "RPBasicAuthentictionValve",
"enabled": "true",
"config": {}
},
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.token}}"
}
},
{
"name": "SessionRemoveValve",
"config": {}
}
]
}
}- If the revoke operation was named something else, set the same value as the pipe id.
- Click Stage Changes and Commit Changes
Add revocation endpoint to Discovery data
- Click the Advanced tab
- Click OIDC_OP
- Locate the OP configuration for the OP provider (tenant)
- Add the token revocation endpoint by adding the config parameter revocation_endpoint with a value pointing to the pipe previously added. Also, add the tenant ID to the URL.
"revocation_endpoint" : "https://<PAS_SERVER>/api/authentication/revoke?tenant=<TENANT_ID>",
FULL EXAMPLE:
{
"id": "t1",
"tenant": "t1",
"guide_ref": "guides.authentication.oidc.uidpwdsms",
"config": {
"authorization_endpoint": "https://demo.phenixid.net/oidc/authenticate/oidc_otp",
"userinfo_endpoint": "https://demo.phenixid.net/api/authentication/userinfo?tenant=t1",
"revocation_endpoint": "https://demo.phenixid.net/api/authentication/revoke?tenant=t1",
"issuer": "https://demo.phenixid.net/t1",
"token_endpoint": "https://demo.phenixid.net/api/authentication/2a4b03b4-7073-4728-9149-6bb7409187e7?tenant=t1",
"jwks_uri": "https://demo.phenixid.net/oidc_otp/.well-known/openid-configuration/jwks",
"response_types_supported": [
"code"
],
"grant_types_supported": [
"authorization_code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid"
],
"token_endpoint_auth_methods_supported": [
"none"
],
"claims_supported": [
"iss",
"ver",
"sub",
"given_name",
"family_name"
],
"end_session_endpoint": "https://demo.phenixid.net/oidc/authenticate/logout/",
"request_parameter_supported": "true",
"signStore": "956bee24-98f0-41a5-9e27-76f8c89d1e1d"
},
"created": "2019-10-21T07:59:30.621Z"
}
- If the revoke operation was named something else, set the same value as the last part of the revocation_endpoint uri.
Example:
"revocation_endpoint": "https://demo.phenixid.net/api/authentication/revoke_t1?tenant=t1",Test
Use a HTTP rest client for testing and debugging. Follow the document OAuth2 Token revocation - integration guide for developers to structure the HTTP requests properly.