Friday, July 1, 2016

How to Revoke access tokens belong to user without login to identity server dashboard and without having application internal details.(WSO2 API Manager, Identity Server)

We need to have full identity server profile for do this as identity server dashboard will run only within complete identity Server run time(not in API Manager run time).
But even from that application we are doing exact same soap calls i listed below.
If you do not run full identity server profile in any place of deployment you have 2 solutions.
01. Like we discussed can mitigate the security risk by shortening the access/refresh token or completely disabling the refresh token.
02. Implement custom web application where user can login and revoke their tokes using following web service calls. This approach is having some development tasks and UI implementation.

Here i have listed complete steps to list your applications and revoke tokens for them.
You may try this with soap ui or any other soap service client if required. I assume you have installed latest patches issued for API Manager.

Generate access token using password grant type or any other grant type as follows.
curl -k -d "grant_type=password&username=sanjeewa&password=sanjeewa" -H "Authorization: Basic ajdNc2pIUzBBMHkwQW9XcUlxcWcyMDZROEdVYTpLNXFPVV9HSDNSZWtNZV91d240U2pUVldscTRh" https://10.100.1.23:8243/token
{"scope":"default","token_type":"Bearer","expires_in":3600,"refresh_token":"0caede403416ba001cb735c4b3b87ea4","access_token":"a745bd59ecd37afd84f686b887e9ff5d"}

Now use generated token to access API service. As you see you will get successful response.
curl -X GET --header "Accept: application/json" --header "Authorization: Bearer a745bd59ecd37afd84f686b887e9ff5d" "http://10.100.1.23:8280/calc/1.0/add?x=4&y=4"
{"answer": "8.0"}

Now lets revoke token using soap service.
URL: https://sanjeewa-ThinkPad-X1-Carbon-3rd:9443/services/OAuthAdminService
Please note you need to pass basic auth credentials of the user. And in request pay load you need to pass app name of your application.

Here one limitation is you need to know application name before do this operation. But if you use identity server dashboard then you will see all app names.
But we do have web service for that as well.

Request:
POST https://sanjeewa-ThinkPad-X1-Carbon-3rd:9443/services/OAuthAdminService.OAuthAdminServiceHttpsSoap11Endpoint HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:getAppsAuthorizedByUser"
Authorization: Basic YWRtaW46YWRtaW4=
Content-Length: 231
Host: sanjeewa-ThinkPad-X1-Carbon-3rd:9443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getAppsAuthorizedByUser/>
   </soapenv:Body>
</soapenv:Envelope>

Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getAppsAuthorizedByUserResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2434="http://dto.oauth.identity.carbon.wso2.org/xsd" xmlns:ax2430="http://oauth.identity.carbon.wso2.org/xsd" xmlns:ax2431="http://base.identity.carbon.wso2.org/xsd">
         <ns:return xsi:type="ax2434:OAuthConsumerAppDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax2434:OAuthVersion xsi:nil="true"/>
            <ax2434:applicationName>admin_rest_api_publisher</ax2434:applicationName>
            <ax2434:callbackUrl xsi:nil="true"/>
            <ax2434:grantTypes>urn:ietf:params:oauth:grant-type:saml2-bearer iwa:ntlm implicit refresh_token client_credentials authorization_code password</ax2434:grantTypes>
            <ax2434:oauthConsumerKey>IVPk3cKAsyo2tZImmvv0cD7kkXAa</ax2434:oauthConsumerKey>
            <ax2434:oauthConsumerSecret xsi:nil="true"/>
            <ax2434:username>admin@carbon.super</ax2434:username>
         </ns:return>
         <ns:return xsi:type="ax2434:OAuthConsumerAppDTO" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax2434:OAuthVersion xsi:nil="true"/>
            <ax2434:applicationName>admin_DefaultApplication_PRODUCTION</ax2434:applicationName>
            <ax2434:callbackUrl xsi:nil="true"/>
            <ax2434:grantTypes>urn:ietf:params:oauth:grant-type:saml2-bearer iwa:ntlm implicit refresh_token client_credentials authorization_code password</ax2434:grantTypes>
            <ax2434:oauthConsumerKey>j7MsjHS0A0y0AoWqIqqg206Q8GUa</ax2434:oauthConsumerKey>
            <ax2434:oauthConsumerSecret xsi:nil="true"/>
            <ax2434:username>admin@carbon.super</ax2434:username>
         </ns:return>
      </ns:getAppsAuthorizedByUserResponse>
   </soapenv:Body>
</soapenv:Envelope>


As you can see here you can list all applications belong to authorized user.
Then we can get required application and revoke tokens for that application. Please refer steps listed below.

Complete Request:
POST https://sanjeewa-ThinkPad-X1-Carbon-3rd:9443/services/OAuthAdminService.OAuthAdminServiceHttpsSoap11Endpoint HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:revokeAuthzForAppsByResoureOwner"
Authorization: Basic c2FuamVld2E6c2FuamVld2E=
Content-Length: 811
Host: sanjeewa-ThinkPad-X1-Carbon-3rd:9443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:xsd="http://org.apache.axis2/xsd" 
xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:revokeAuthzForAppsByResoureOwner>
         <!--Optional:-->
         <xsd:revokeRequestDTO>
            <!--Zero or more repetitions:-->
            <xsd1:apps>admin_DefaultApplication_PRODUCTION</xsd1:apps>
            <!--Optional:-->
            <xsd1:authzUser>sanjeewa@carbon.super</xsd1:authzUser>
            <!--Optional:-->
            <xsd1:consumerKey></xsd1:consumerKey>
            <!--Optional:-->
            <xsd1:consumerSecret></xsd1:consumerSecret>
         </xsd:revokeRequestDTO>
      </xsd:revokeAuthzForAppsByResoureOwner>
   </soapenv:Body>
</soapenv:Envelope>



Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

   <soapenv:Body>
      <ns:revokeAuthzForAppsByResoureOwnerResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:type="ax2434:OAuthRevocationResponseDTO" xmlns:ax2434="http://dto.oauth.identity.carbon.wso2.org/xsd" xmlns:ax2430="http://oauth.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ax2431="http://base.identity.carbon.wso2.org/xsd">
            <ax2434:error>false</ax2434:error>
            <ax2434:errorCode xsi:nil="true"/>
            <ax2434:errorMsg xsi:nil="true"/>
         </ns:return>
      </ns:revokeAuthzForAppsByResoureOwnerResponse>
   </soapenv:Body>
</soapenv:Envelope>



Now we have revoked all tokens obtained for default application. Now lwts try to invoke API again and see what happen.

curl -X GET --header "Accept: application/json" --header "Authorization: Bearer 2824ce3682f3cc1396a32dbc0dd4f92a" "http://10.100.1.23:8280/calc/1.0/add?x=4&y=4"
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"
><ams:code>900901</ams:code>

<ams:message>Invalid Credentials</ams:message>
<ams:description>Access failure for API: /calc/1.0, version: 1.0. Make sure your have given the correct access token</ams:description></ams:fault>


Now you will see that access token is revoked and cannot be use anymore.

No comments:

Post a Comment