- Notifications
You must be signed in to change notification settings - Fork925
Description
Problem
Coder currently does not revoke users' oauth tokens when they unlink an account.
This is explicitly called out here:
| info="This does not revoke the access token from the oauth2 provider. |
RFC 7009 specifies a mechanism whereby OAuth authorization servers may expose an endpoint allowing immediate revocation of an access token or refresh token.
This is supported by the following external authentication providers:
- GitLab (https://docs.gitlab.com/ee/api/oauth2.html#revoke-a-token)
- Keycloak (https://www.keycloak.org/securing-apps/oidc-layers#_token_revocation_endpoint)
Unfortunately, this does not appear to be uniformly supported across providers.
It is currently not supported / unknown on these providers:
- BitBucket (https://jira.atlassian.com/browse/BCLOUD-22302)
- Entra ID (link TBD)
Some providers provide custom implementations not in line with the spec:
Proposed Solution
When a user unlinks their account,coderd should attempt to revoke the token via the/revoke endpoint if configured.
The token revocation endpoint should be specified byCODER_EXTERNAL_AUTH_#_REVOKE_URL.
This will be done on a 'best effort' basis. If the authorization server returns any response other than 200, we should assume that the token revocation failed and advise the user to delete the token manually.