server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon nextcloud

[Bug]: deleting oauth client does not delete the tokes given out by the client

Open individual-it opened this issue 3 years ago • 2 comments

⚠️ This issue respects the following points: ⚠️

  • [X] This is a bug, not a question or a configuration/webserver/proxy issue.
  • [X] This issue is not already reported on Github (I've searched it).
  • [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

After an oAuth client is deleted in NC the tokens that it has given out are still valid and can be used for authentication

We have encountered this issue while developing the OpenProject integration app The only workaround we have found is to get all tokens of a oauth client before deleting it and invalidate them one by one: https://github.com/nextcloud/integration_openproject/pull/261 but IMO it would be better if that would happen automatically when the client gets deleted

Steps to reproduce

  1. create an oauth client
  2. connect to NC using that oauth client
  3. delete the oauth client
  4. try to use the issued tokens to connect to NC

Expected behavior

tokens should be invalidated

Installation method

No response

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • [X] Default user-backend (database)
  • [ ] LDAP/ Active Directory
  • [ ] SSO - SAML
  • [ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "192.168.108.156",
            "host.docker.internal",
            "172.17.0.1",
            "192.168.10.29"
        ],
        "apps_paths": [
            {
                "path": "\/home\/artur\/www\/nextcloud-server\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/home\/artur\/www\/nextcloud-server\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "26.0.0.1",
        "overwrite.cli.url": "http:\/\/localhost\/nextcloud-server",
        "htaccess.RewriteBase": "\/nextcloud-server\/",
        "installed": true,
        "debug": true,
        "allow_local_remote_servers": true,
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "loglevel": 2,
        "maintenance": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_smtpport": "\u00fc\u00e4\u00fc\u00fc",
        "0": [
            [
                "localhost",
                11211
            ]
        ],
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        }
    }
}

List of activated Apps

Enabled:
  - activity: 2.18.0
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contactsinteraction: 1.7.0
  - dashboard: 7.6.0
  - dav: 1.25.0
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.0
  - integration_openproject: 2.1.0
  - lookup_server_connector: 1.14.0
  - notifications: 2.14.0
  - oauth2: 1.14.0
  - provisioning_api: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - systemtags: 1.16.0
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - updatenotification: 1.16.0
  - user_status: 1.6.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflowengine: 2.8.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - encryption
  - files_external
  - testing
  - user_ldap

Nextcloud Signing status

Integrity checker has been disabled. Integrity cannot be verified.

Nextcloud Logs

No response

Additional info

No response

individual-it avatar Nov 10 '22 06:11 individual-it

when deleting the oauth client the tokens get deleted from oc_oauth2_access_tokens but there are still present in oc_authtoken and it looks to me that is where the real authentication happens

individual-it avatar Nov 11 '22 06:11 individual-it

I've assigned myself and will try to create a fix

individual-it avatar Nov 11 '22 06:11 individual-it

I guess this is still open despite the merge of #35094 due to #37761 still being an open PR?

joshtrichards avatar Jul 09 '24 15:07 joshtrichards