44package consent
55
66import (
7- "context"
87 "encoding/json"
98 "net/http"
109 "net/url"
@@ -80,7 +79,6 @@ type revokeOAuth2ConsentSessions struct {
8079 // The subject whose consent sessions should be deleted.
8180 //
8281 // in: query
83- // required: true
8482 Subject string `json:"subject"`
8583
8684 // OAuth 2.0 Client ID
@@ -90,6 +88,13 @@ type revokeOAuth2ConsentSessions struct {
9088 // in: query
9189 Client string `json:"client"`
9290
91+ // Consent Challenge ID
92+ //
93+ // If set, revoke all token chains derived from this particular consent request ID.
94+ //
95+ // in: query
96+ ConsentChallengeID string `json:"consent_challenge_id"`
97+
9398 // Revoke All Consent Sessions
9499 //
95100 // If set to `true` deletes all consent sessions by the Subject that have been granted.
@@ -119,14 +124,23 @@ type revokeOAuth2ConsentSessions struct {
119124func (h * Handler ) revokeOAuth2ConsentSessions (w http.ResponseWriter , r * http.Request , _ httprouter.Params ) {
120125 subject := r .URL .Query ().Get ("subject" )
121126 client := r .URL .Query ().Get ("client" )
127+ consentChallengeID := r .URL .Query ().Get ("consent_challenge_id" )
122128 allClients := r .URL .Query ().Get ("all" ) == "true"
123- if subject == "" {
124- h .r .Writer ().WriteError (w , r , errorsx .WithStack (fosite .ErrInvalidRequest .WithHint (`Query parameter 'subject' is not defined but should have been.` )))
129+ if subject == "" && consentChallengeID == "" {
130+ h .r .Writer ().WriteError (w , r , errorsx .WithStack (fosite .ErrInvalidRequest .WithHint (`Query parameter 'subject' or 'consent_challenge_id' are required.` )))
131+ return
132+ }
133+ if consentChallengeID != "" && subject != "" {
134+ h .r .Writer ().WriteError (w , r , errorsx .WithStack (fosite .ErrInvalidRequest .WithHint (`Query parameter 'subject' and 'consent_challenge_id' cannot be set at the same time.` )))
135+ return
136+ }
137+ if consentChallengeID != "" && client != "" {
138+ h .r .Writer ().WriteError (w , r , errorsx .WithStack (fosite .ErrInvalidRequest .WithHint (`Query parameter 'client' and 'consent_challenge_id' cannot be set at the same time.` )))
125139 return
126140 }
127141
128142 switch {
129- case len ( client ) > 0 :
143+ case client != "" :
130144 if err := h .r .ConsentManager ().RevokeSubjectClientConsentSession (r .Context (), subject , client ); err != nil && ! errors .Is (err , x .ErrNotFound ) {
131145 h .r .Writer ().WriteError (w , r , err )
132146 return
@@ -138,6 +152,12 @@ func (h *Handler) revokeOAuth2ConsentSessions(w http.ResponseWriter, r *http.Req
138152 return
139153 }
140154 events .Trace (r .Context (), events .ConsentRevoked , events .WithSubject (subject ))
155+ case consentChallengeID != "" :
156+ if err := h .r .ConsentManager ().RevokeConsentSessionByID (r .Context (), consentChallengeID ); err != nil && ! errors .Is (err , x .ErrNotFound ) {
157+ h .r .Writer ().WriteError (w , r , err )
158+ return
159+ }
160+ return
141161 default :
142162 h .r .Writer ().WriteError (w , r , errorsx .WithStack (fosite .ErrInvalidRequest .WithHint (`Query parameter both 'client' and 'all' is not defined but one of them should have been.` )))
143163 return
@@ -479,7 +499,7 @@ func (h *Handler) acceptOAuth2LoginRequest(w http.ResponseWriter, r *http.Reques
479499 }
480500 handledLoginRequest .RequestedAt = loginRequest .RequestedAt
481501
482- f , err := h . decodeFlowWithClient (ctx , challenge , flowctx .AsLoginChallenge )
502+ f , err := flowctx . Decode [flow. Flow ] (ctx , h . r . FlowCipher () , challenge , flowctx .AsLoginChallenge )
483503 if err != nil {
484504 h .r .Writer ().WriteError (w , r , err )
485505 return
@@ -579,11 +599,12 @@ func (h *Handler) rejectOAuth2LoginRequest(w http.ResponseWriter, r *http.Reques
579599 return
580600 }
581601
582- f , err := h . decodeFlowWithClient (ctx , challenge , flowctx .AsLoginChallenge )
602+ f , err := flowctx . Decode [flow. Flow ] (ctx , h . r . FlowCipher () , challenge , flowctx .AsLoginChallenge )
583603 if err != nil {
584604 h .r .Writer ().WriteError (w , r , err )
585605 return
586606 }
607+
587608 request , err := h .r .ConsentManager ().HandleLoginRequest (ctx , f , challenge , & flow.HandledLoginRequest {
588609 Error : & p ,
589610 ID : challenge ,
@@ -765,11 +786,12 @@ func (h *Handler) acceptOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ
765786 p .RequestedAt = cr .RequestedAt
766787 p .HandledAt = sqlxx .NullTime (time .Now ().UTC ())
767788
768- f , err := h . decodeFlowWithClient (ctx , challenge , flowctx .AsConsentChallenge )
789+ f , err := flowctx . Decode [flow. Flow ] (ctx , h . r . FlowCipher () , challenge , flowctx .AsConsentChallenge )
769790 if err != nil {
770791 h .r .Writer ().WriteError (w , r , err )
771792 return
772793 }
794+
773795 hr , err := h .r .ConsentManager ().HandleConsentRequest (ctx , f , & p )
774796 if err != nil {
775797 h .r .Writer ().WriteError (w , r , errorsx .WithStack (err ))
@@ -872,7 +894,7 @@ func (h *Handler) rejectOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ
872894 return
873895 }
874896
875- f , err := h . decodeFlowWithClient (ctx , challenge , flowctx .AsConsentChallenge )
897+ f , err := flowctx . Decode [flow. Flow ] (ctx , h . r . FlowCipher () , challenge , flowctx .AsConsentChallenge )
876898 if err != nil {
877899 h .r .Writer ().WriteError (w , r , err )
878900 return
@@ -1048,12 +1070,3 @@ func (h *Handler) getOAuth2LogoutRequest(w http.ResponseWriter, r *http.Request,
10481070
10491071 h .r .Writer ().Write (w , r , request )
10501072}
1051-
1052- func (h * Handler ) decodeFlowWithClient (ctx context.Context , challenge string , opts ... flowctx.CodecOption ) (* flow.Flow , error ) {
1053- f , err := flowctx .Decode [flow.Flow ](ctx , h .r .FlowCipher (), challenge , opts ... )
1054- if err != nil {
1055- return nil , err
1056- }
1057-
1058- return f , nil
1059- }
0 commit comments