Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to revoke the OAuth2 token from the staging environment #483

Open
eb-ib opened this issue Dec 4, 2024 · 1 comment
Open

Unable to revoke the OAuth2 token from the staging environment #483

eb-ib opened this issue Dec 4, 2024 · 1 comment

Comments

@eb-ib
Copy link

eb-ib commented Dec 4, 2024

While I have been able to obtain the OAuth2 access token (and its accompanying refresh token) on the staging environment and also perform scrobble API calls from my Android mobile app to that env successfully, I have been unable to revoke said token, no matter what I try (I know that O2Auth token revocation is not strictly necessary for the Trakt API, but I do want to give the user of the app the option to end the session.)

At this point, I have a few questions, please:

  1. For the OAuth2 auth code flow, I am using the AppAuth-Android library. I would think that the revoke call can be performed via any regular HTTP library, but perhaps am I also supposed to use an OAuth2 library like AppAuth-Android for this?
  2. For the Authorize endpoint (oauth/authorize), the docs (https://trakt.docs.apiary.io/#reference/authentication-oauth/authorize/authorize-application) indicate that the client should use the https://(staging.)trakt.tv host instead of the api host used for non-auth requests. Does this apply to the oauth/revoke endpoint, too? (I don't think it does.)

Here's the request I am making from the Android mobile app via the same HTTP library I use for the (successful) scrobble operations, but formatted as if it were a cURL request (note that I have tried either https://staging.trakt.tv or https://api-staging.trakt.tv for <host>, with the same result described below):

curl -v -X POST -H 'trakt-api-key: <app-api-key>' -H 'trakt-api-version: 2' -H 'Content-Type: application/json; charset=UTF-8' -H 'Content-Length: 238' -H 'Host: <host>' -H 'Connection: Keep-Alive' -H 'Accept-Encoding: gzip' -H 'User-Agent: okhttp/4.12.0' --data $'{"client_id":"<app-client-id>","client_secret":"<app-client-secret>","token":"<oauth2-access-token>"}' --compressed 'https://<host>/oauth/revoke'

This request (and many other variations) always returns the 200 status code, but the Connected Apps section on the Trakt website still shows the access token.

Any help will be appreciated.
@eb-ib
Copy link
Author

eb-ib commented Dec 4, 2024

Just to report that this is working for me now, with no code change on my side, right after I reported my problem here. Perhaps I was doing something wrong during my tests. Thanks anyway!

For anyone interested, I will reply to my own questions above:

  1. Any regular HTTP library should work for this.
  2. It looks like the api host is used for OAuth2 token revocation (e.g., https://api-staging.trakt.tv for the staging environment.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eb-ib