Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add an admin endpoint to allow authorizing server to signal token revocations #16125

Merged
merged 19 commits into from
Aug 22, 2023

Conversation

H-Shay
Copy link
Contributor

@H-Shay H-Shay commented Aug 16, 2023

As the title states - the endpoint removes the introspection token corresponding to the token id presented to the endpoint from the token cache.

This branch is based on the branch at #16117 and is a follow-up to that PR.

@H-Shay H-Shay requested a review from a team as a code owner August 16, 2023 22:23
synapse/rest/admin/oidc.py Outdated Show resolved Hide resolved
synapse/rest/admin/oidc.py Outdated Show resolved Hide resolved
Base automatically changed from shay/token_cache to develop August 17, 2023 17:53
# device_id -> introspection_token
# TODO: is there a way to check if the deletion request has come from MAS/OIDC
# authorizing server and only invalidate if that's the case?
if self.config.experimental.msc3861.enabled:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am assuming this is the endpoint that MAS uses to delete devices?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about it: we should put this somewhere where all device deletion requests hit it. That way any log out / device deletion correctly ensures the device isn't usable?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe in the data store?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hilariously I started with it there and then convinced myself that was overly broad - I've moved it back now.

@erikjohnston erikjohnston added the X-Release-Blocker Must be resolved before making a release label Aug 21, 2023
@@ -140,6 +140,21 @@ def pop(self, key: KT, default: T = SENTINEL) -> Union[VT, T]:

return value.value

def invalidate(self, keys: List[KT]) -> None:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

invalidate on the other caches just invalidates a single key. Let's do the same thing here to avoid confusion

@erikjohnston erikjohnston enabled auto-merge (squash) August 22, 2023 14:13
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
X-Release-Blocker Must be resolved before making a release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants