feat: implement oauth2 RFC 7009 token revocation endpoint#20362
Conversation
| // Secret is the raw secret value. This value should only be known to the client. | ||
| Secret string |
There was a problem hiding this comment.
Why are we storing the secret?
There was a problem hiding this comment.
The Formatted stores the secret, so we were already storing the secret in this struct.
I added this field because the previous PR had 2 structs.
type parsedSecret struct {
prefix string
secret string
}
type AppSecret struct {
// Formatted contains the secret. This value is owned by the client, not the
// server. It is formatted to include the prefix.
Formatted string
// Prefix is the ID of this secret owned by the server. When a client uses a
// secret, this is the matching string to do a lookup on the hashed value. We
// cannot use the hashed value directly because the server does not store the
// salt.
Prefix string
// Hashed is the server stored hash(secret,salt,...). Used for verifying a
// secret.
Hashed string
}The parseFormattedSecret was in registration.go. My refactor was to make 1 struct for the AppSecret and another for HashedAppSecret. I moved ParseFormattedSecret next to GenerateSecret. I think we still need to workshop some better names to not conflate with other Secrets. Since it is in the oauth2provider package, I think that helps disambiguate it from say an APIKey secret
There is no new data being stored somewhere it was not previously.
code-asher
left a comment
There was a problem hiding this comment.
No blocking comments from me!
31a1f6f to
daf8ce3
Compare
Taken from #18809
The linked PR is too big, refactored some functions and fixed the test.
What this does
Adds RFC 7009 token revocation endpoint