PhenixID DocumentationPhenixID Authentication ServicesSolutionsOpenIDConnect (OIDC) / OAuthHow to add Token Revocation to PhenixID Authentication Services OAuth2 Authorization Server

How to add Token Revocation to PhenixID Authentication Services OAuth2 Authorization Server

Prerequisites

- PAS 3.0 or higher installed

- OpenID Connect Provider configured using Scenarios->OIDC

- The PhenixID OIDC token endpoint must have returned an OAuth2 access_token, which value is bound to the session as an alias.

Add token revocation as an allowed operation

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Locate the api module (com.phenixidentity~phenix-api-authenticate)

- Locate the tenant for the OpenID Connect Provider configured

- Add revoke as an allowed operation.

Example:

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "t1",
					"displayName": "Tenant1",
					"allowedOperation": [
						"revoke"
					]
}
			]
		},
		"id": "authapi_module"
	}

NB! If you have multiple logical OpenID Connect Providers (=tenants) and you would like to configure different token revocation logic for different providers, then rename revoke to something unique for the tenant, for example revoke_t1. Also make sure to set the pipe id to the same value (see later step).

- Click Stage Changes and Commit Changes

 

Add pipe to perform token revocation

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add this pipe.

{
		"id": "revoke",
		"description": "Token revocation",
		"valves": [
			{
				"name": "RPBasicAuthentictionValve",
				"enabled": "true",
				"config": {}
			},
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.token}}"
				}
			},
			{
				"name": "SessionRemoveValve",
				"config": {}
			}
		]
	}	
}

- If the revoke operation was named something else, set the same value as the pipe id.

- Click Stage Changes and Commit Changes

Add revocation endpoint to Discovery data

- Click the Advanced tab

- Click OIDC_OP

- Locate the OP configuration for the OP provider (tenant)

- Add the token revocation endpoint by adding the config parameter revocation_endpoint with a value pointing to the pipe previously added. Also, add the tenant ID to the URL. 

"revocation_endpoint" : "https://<PAS_SERVER>/api/authentication/revoke?tenant=<TENANT_ID>",


FULL EXAMPLE:
{
        "id": "t1",
        "tenant": "t1",
        "guide_ref": "guides.authentication.oidc.uidpwdsms",
        "config": {
            "authorization_endpoint": "https://demo.phenixid.net/oidc/authenticate/oidc_otp",
            "userinfo_endpoint": "https://demo.phenixid.net/api/authentication/userinfo?tenant=t1",
            "revocation_endpoint": "https://demo.phenixid.net/api/authentication/revoke?tenant=t1",
            "issuer": "https://demo.phenixid.net/t1",
            "token_endpoint": "https://demo.phenixid.net/api/authentication/2a4b03b4-7073-4728-9149-6bb7409187e7?tenant=t1",
            "jwks_uri": "https://demo.phenixid.net/oidc_otp/.well-known/openid-configuration/jwks",
            "response_types_supported": [
                "code"
            ],
            "grant_types_supported": [
                "authorization_code"
            ],
            "subject_types_supported": [
                "public"
            ],
            "id_token_signing_alg_values_supported": [
                "RS256"
            ],
            "scopes_supported": [
                "openid"
            ],
            "token_endpoint_auth_methods_supported": [
                "none"
            ],
            "claims_supported": [
                "iss",
                "ver",
                "sub",
                "given_name",
                "family_name"
            ],
            "end_session_endpoint": "https://demo.phenixid.net/oidc/authenticate/logout/",
            "request_parameter_supported": "true",
            "signStore": "956bee24-98f0-41a5-9e27-76f8c89d1e1d"
        },
        "created": "2019-10-21T07:59:30.621Z"
    }


- If the revoke operation was named something else, set the same value as the last part of the revocation_endpoint uri.

Example:

"revocation_endpoint": "https://demo.phenixid.net/api/authentication/revoke_t1?tenant=t1",

Test

Use a HTTP rest client for testing and debugging. Follow the document OAuth2 Token revocation - integration guide for developers to structure the HTTP requests properly.