revokeGrant not implemented in handleTokenRequest?

[DevInABoxLLC]

In the handleMetadataDiscovery the line 'revocation_endpoint: tokenEndpoint' tells all clients that they can send revocation requests to the same URL as the token endpoint.

The main router in the fetch method directs all requests for the tokenEndpoint to the handleTokenRequest function. This is the function that should contain the logic for both issuing tokens and revoking them. However, it completely lacks the revocation part.

It will return an unsupported_grant_type error.

However - I noticed we have a function called revokeGrant within OAuthHelpersImpl

This seems like it would work - however it is missing from handleTokenRequest

Is this an oversight?

[kentonv]

Yes, I think this is an oversight and we should fix it.

[DevInABoxLLC]

Would this fix work to add the missing revocation_endpoint:

Add the following to fetch:

if (url.pathname === REVOCATION_ENDPOINT_PATH && request.method === 'POST') {
return handleRevocationRequest(request, env); // Direct to new handler
}

handleRevocationRequest:

private async handleRevocationRequest(request: Request, env: any): Promise<Response> {
  // Only accept POST requests
  if (request.method !== 'POST') {
    return this.createErrorResponse('invalid_request', 'Method not allowed', 405);
  }

  let formData: FormData;
  try {
    formData = await request.formData();
  } catch (error) {
    return this.createErrorResponse('invalid_request', 'Invalid request body format', 400);
  }

  const tokenToRevoke = formData.get('token')?.toString();

  let clientId: string | undefined;
  let clientSecret: string | undefined;

  const authHeader = request.headers.get('Authorization');
  if (authHeader && authHeader.startsWith('Basic ')) {
    // Basic auth
    const credentials = atob(authHeader.substring(6));
    const [id, secret] = credentials.split(':');
    clientId = id;
    clientSecret = secret || '';
  } else {
    clientId = formData.get('client_id')?.toString();
    clientSecret = formData.get('client_secret')?.toString() || '';
  }

  if (!tokenToRevoke) {
    return this.createErrorResponse('invalid_request', 'Missing token parameter for revocation.');
  }

  if (!clientId) {
    return this.createErrorResponse('invalid_client', 'Client ID missing for revocation request.', 401);
  }

  const clientInfo = await this.getClient(env, clientId);
  if (!clientInfo) {
    return this.createErrorResponse('invalid_client', 'Client not found.', 401);
  }

  // Determine authentication requirements based on token endpoint auth method from Client
  const isPublicClient = clientInfo.tokenEndpointAuthMethod === 'none';

  // For confidential clients, validate the secret
  if (!isPublicClient) {
    if (!clientSecret) {
      return this.createErrorResponse('invalid_client', 'Client authentication failed: missing client_secret.', 401);
    }
    if (!clientInfo.clientSecret) {
      // This scenario implies a misconfigured client on the server side
      return this.createErrorResponse(
        'invalid_client',
        'Client authentication failed: client has no registered secret.',
        401
      );
    }

    const providedSecretHash = await hashSecret(clientSecret);
    if (providedSecretHash !== clientInfo.clientSecret) {
      return this.createErrorResponse('invalid_client', 'Client authentication failed: invalid client_secret.', 401);
    }
  }

  // For public clients, no secret validation is needed, as per OAuth 2.0.

  try {
    // Revoke the token using the OAuthHelpersImpl instance available in env.
    const oauthHelpers: OAuthHelpers = env.OAUTH_PROVIDER;

    // Call the new `revokeToken` method in `OAuthHelpersImpl`, which in turn
    // uses the existing `revokeGrant` logic.
    await oauthHelpers.revokeToken(tokenToRevoke);

    return new Response(null, { status: 200 });
  } catch (error) {
    console.error('Unexpected error during token revocation:', error);
    return this.createErrorResponse('server_error', 'An unexpected server error occurred during token revocation.', 500);
  }
}

revokeToken method:

async revokeToken(token: string): Promise<void> {
  // This `revokeToken` function acts as the entry point for explicit token revocation.
  // It needs to infer the `grantId` and `userId` from the `token` string to call the
  // existing `revokeGrant` method, which is the authoritative source for grant and token deletion.

  // Parse the token string. Our tokens have the format 'userId:grantId:secret'.
  const tokenParts = token.split(':');

  // If the token format does not match, it's either an invalid token for this provider,
  // Therefore, we simply complete the operation without throwing.
  if (tokenParts.length !== 3) {
    console.log('Revoke token: Invalid token format received, assuming unknown token.');
    return;
  }

  const [userId, grantId, _] = tokenParts; // Extract userId and grantId

  // Call the existing `revokeGrant` method. This method is already designed to
  // handle the deletion of the grant and all its associated tokens (both access
  // and refresh tokens, as per the semantic model's definition of refresh tokens
  // being part of the grant).
  // `revokeGrant` also adheres to RFC 7009's idempotency requirement: if the grant
  // (and thus the token) is not found, it completes successfully without error.
  await this.revokeGrant(grantId, userId);

  console.log(`Revocation attempt completed for grantId: ${grantId}.`);
}

And modify the handleMetadataDiscovery

Would this work?

[tommoor]

Considering this package is the backbone of all the remote mcp servers built on cloudflare it would be really good for this to work as spec.

[threepointone]

I'll have a look at this soon

[threepointone]

#62