-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Twitch token '/revoke' endpoint is a POST request, and requires the originally issued Auth token #513
Comments
I'm not able to look at this closely at the moment but I think there's a way to create an endpoint in nginx to receive a redirect from Vouch Proxy that will then generate a post to twitch. Might need to carry the auth token in a variable somehow. https://marekfoss.org/2020/03/22/how-to-rewrite-or-redirect-post-requests-in-apache-and-nginx/ I'll take a closer look later |
That's my sticking point. I was trying to do this in PHP but the auth token is only exposed in the id.twitch.tv cookie, so I can't read it to perform the POST on the user's behalf. I'll look into the idea of the Nginx redirect, but any help from your side is also appreciated! |
@ipat8 yeah at this point that's going to require storing the token outside of VP and making an independent call to Revocation is a bit beyond the scope of what VP usually does. VP is not very concerned with the management of the IdP's token(s). If the IdP passes you back as authenticated then VP will authorize access. VP does not require the IdPs token for that transaction. That said, the IdPs auth token can be passed down to the underlying app in an HTTP header, so to that extent perhaps it's of concern to manage it's lifecycle. I could see this being a new feature of VP that gets baked into I can't find anything in the spec that suggest that an IdP's I'm a little hesitant to say "PRs welcome" but maybe I'm talking my way into that. |
@bnfinet A few further questions & answers then:
Would I be able to deploy something like KeyCloak as a intermediary between vouch and twitch, and have KeyCloak handle the logout? (I realize that's outside of your scope, but a general question).
How would I go about doing this? I already pass a few of the claims into the HTTP header, but I have been unable to find what I should be using to pass the auth token. If I can pass it to an HTTP header, I can solve it with PHP from there. https://dev.twitch.tv/docs/authentication/getting-tokens-oidc#requesting-claims shows a list of claims I can request, and I don't see the app token in there.
https://dev.twitch.tv/docs/authentication/revoke-tokens & https://discuss.dev.twitch.tv/t/oidc-logout-uri-redirect/42272
I know enough GO to be able to compile things, but if there is already an existing example of storing the auth token to make requests on the user's behalf I can try and see if I could mangle it into doing it for twitch. |
Bumping this issue somewhat. I have the same issue, except I'm trying to implement sign out behavior for our Google provider. As per Google's documentation, the Google oauth endpoint (https://oauth2.googleapis.com/revoke) accepts only POST requests (Header value I'll open up another issue, but it seems like this revoke behavior extends beyond just Twitch. |
I'd argue that it's the same issue, but maybe the issue should be more general. Providing the token would be extremely useful as a feature. |
I was able to pull the original auth token by setting In the meantime, I should be able to pull that |
Here is the solution I found for google. I'm sure it can be tweaked for Twitch as well. |
** Please DO NOT post config and logs to this issue, use a Gist**
Config Gist
Service Output
Describe the problem
Twitch expects a POST request, not a redirect to https://id.twitch.tv/oauth2/revoke to log out a user. Vouch sends the user to the site and drops them at a 200 Ok page with no way to redirect.
Expected behavior
Vouch makes the request for the user on the backend when they hit the /logout endpoint and redirects them to an arbitrary page when it receives the 200 response.
Desktop (please complete the following information):
Additional context
My main goal here is to have a fully working auth flow with twitch. Eg, a user can sign in, use the app, and sign out, but at sign out they should get redirected back to my main page after revoking their twitch token.
The text was updated successfully, but these errors were encountered: