@@ -196,9 +196,11 @@ type FakeIDP struct {
196196// hookValidRedirectURL can be used to reject a redirect url from the
197197// IDP -> Application. Almost all IDPs have the concept of
198198// "Authorized Redirect URLs". This can be used to emulate that.
199- hookValidRedirectURL func (redirectURL string )error
200- hookUserInfo func (email string ) (jwt.MapClaims ,error )
201- hookAccessTokenJWT func (email string ,exp time.Time ) jwt.MapClaims
199+ hookValidRedirectURL func (redirectURL string )error
200+ hookUserInfo func (email string ) (jwt.MapClaims ,error )
201+ hookRevokeToken func () (int ,error )
202+ revokeTokenGitHubFormat bool // GitHub doesn't follow token revocation RFC spec
203+ hookAccessTokenJWT func (email string ,exp time.Time ) jwt.MapClaims
202204// defaultIDClaims is if a new client connects and we didn't preset
203205// some claims.
204206defaultIDClaims jwt.MapClaims
@@ -327,6 +329,19 @@ func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP) {
327329}
328330}
329331
332+ func WithRevokeTokenRFC (revokeFunc func () (int ,error ))func (* FakeIDP ) {
333+ return func (f * FakeIDP ) {
334+ f .hookRevokeToken = revokeFunc
335+ }
336+ }
337+
338+ func WithRevokeTokenGitHub (revokeFunc func () (int ,error ))func (* FakeIDP ) {
339+ return func (f * FakeIDP ) {
340+ f .hookRevokeToken = revokeFunc
341+ f .revokeTokenGitHubFormat = true
342+ }
343+ }
344+
330345func WithDefaultIDClaims (claims jwt.MapClaims )func (* FakeIDP ) {
331346return func (f * FakeIDP ) {
332347f .defaultIDClaims = claims
@@ -358,6 +373,7 @@ type With429Arguments struct {
358373AuthorizePath bool
359374KeysPath bool
360375UserInfoPath bool
376+ RevokePath bool
361377DeviceAuth bool
362378DeviceVerify bool
363379}
@@ -387,6 +403,10 @@ func With429(params With429Arguments) func(*FakeIDP) {
387403http .Error (rw ,"429, being manually blocked (userinfo)" ,http .StatusTooManyRequests )
388404return
389405}
406+ if params .RevokePath && strings .Contains (r .URL .Path ,revokeTokenPath ) {
407+ http .Error (rw ,"429, being manually blocked (revoke)" ,http .StatusTooManyRequests )
408+ return
409+ }
390410if params .DeviceAuth && strings .Contains (r .URL .Path ,deviceAuth ) {
391411http .Error (rw ,"429, being manually blocked (device-auth)" ,http .StatusTooManyRequests )
392412return
@@ -408,8 +428,10 @@ const (
408428authorizePath = "/oauth2/authorize"
409429keysPath = "/oauth2/keys"
410430userInfoPath = "/oauth2/userinfo"
411- deviceAuth = "/login/device/code"
412- deviceVerify = "/login/device"
431+ // nolint:gosec // It also thinks this is a secret lol
432+ revokeTokenPath = "/oauth2/revoke"
433+ deviceAuth = "/login/device/code"
434+ deviceVerify = "/login/device"
413435)
414436
415437func NewFakeIDP (t testing.TB ,opts ... FakeIDPOpt )* FakeIDP {
@@ -486,6 +508,7 @@ func (f *FakeIDP) updateIssuerURL(t testing.TB, issuer string) {
486508TokenURL :u .ResolveReference (& url.URL {Path :tokenPath }).String (),
487509JWKSURL :u .ResolveReference (& url.URL {Path :keysPath }).String (),
488510UserInfoURL :u .ResolveReference (& url.URL {Path :userInfoPath }).String (),
511+ RevokeURL :u .ResolveReference (& url.URL {Path :revokeTokenPath }).String (),
489512DeviceCodeURL :u .ResolveReference (& url.URL {Path :deviceAuth }).String (),
490513Algorithms : []string {
491514"RS256" ,
@@ -756,6 +779,7 @@ type ProviderJSON struct {
756779TokenURL string `json:"token_endpoint"`
757780JWKSURL string `json:"jwks_uri"`
758781UserInfoURL string `json:"userinfo_endpoint"`
782+ RevokeURL string `json:"revocation_endpoint"`
759783DeviceCodeURL string `json:"device_authorization_endpoint"`
760784Algorithms []string `json:"id_token_signing_alg_values_supported"`
761785// This is custom
@@ -1146,6 +1170,29 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
11461170_ = json .NewEncoder (rw ).Encode (claims )
11471171}))
11481172
1173+ mux .Handle (revokeTokenPath ,http .HandlerFunc (func (rw http.ResponseWriter ,r * http.Request ) {
1174+ if f .revokeTokenGitHubFormat {
1175+ u ,p ,ok := r .BasicAuth ()
1176+ if ! ok || ! (u == f .clientID && p == f .clientSecret ) {
1177+ httpError (rw ,http .StatusForbidden ,xerrors .Errorf ("basic auth failed" ))
1178+ return
1179+ }
1180+ }else {
1181+ _ ,ok := validateMW (rw ,r )
1182+ if ! ok {
1183+ httpError (rw ,http .StatusForbidden ,xerrors .Errorf ("validation failed" ))
1184+ return
1185+ }
1186+ }
1187+
1188+ code ,err := f .hookRevokeToken ()
1189+ if err != nil {
1190+ httpError (rw ,code ,xerrors .Errorf ("hook err: %w" ,err ))
1191+ return
1192+ }
1193+ httpapi .Write (r .Context (),rw ,code ,"" )
1194+ }))
1195+
11491196// There is almost no difference between this and /userinfo.
11501197// The main tweak is that this route is "mounted" vs "handle" because "/userinfo"
11511198// should be strict, and this one needs to handle sub routes.
@@ -1474,12 +1521,16 @@ func (f *FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom *ExternalAu
14741521DisplayName :id ,
14751522InstrumentedOAuth2Config :oauthCfg ,
14761523ID :id ,
1524+ ClientID :f .clientID ,
1525+ ClientSecret :f .clientSecret ,
14771526// No defaults for these fields by omitting the type
14781527Type :"" ,
14791528DisplayIcon :f .WellknownConfig ().UserInfoURL ,
14801529// Omit the /user for the validate so we can easily append to it when modifying
14811530// the cfg for advanced tests.
1482- ValidateURL :f .locked .IssuerURL ().ResolveReference (& url.URL {Path :"/external-auth-validate/" }).String (),
1531+ ValidateURL :f .locked .IssuerURL ().ResolveReference (& url.URL {Path :"/external-auth-validate/" }).String (),
1532+ RevokeURL :f .locked .IssuerURL ().ResolveReference (& url.URL {Path :revokeTokenPath }).String (),
1533+ RevokeTimeout :1 * time .Second ,
14831534DeviceAuth :& externalauth.DeviceAuth {
14841535Config :oauthCfg ,
14851536ClientID :f .clientID ,