From d0ca89887ade2d0e066111525a61efaa8f6e1ee7 Mon Sep 17 00:00:00 2001
From: Jusshersmith <usshersmithj@gmail.com>
Date: Mon, 24 Jun 2019 10:20:05 +0100
Subject: [PATCH] sso_auth: fix okta revoke endpoint

- Fix client authorisation
- Revoke refresh token, implicitly revoking access token as well
---
 internal/auth/providers/okta.go | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/internal/auth/providers/okta.go b/internal/auth/providers/okta.go
index dafda9df..09d05c70 100644
--- a/internal/auth/providers/okta.go
+++ b/internal/auth/providers/okta.go
@@ -413,20 +413,25 @@ func (p *OktaProvider) RefreshAccessToken(refreshToken string) (token string, ex
 	return
 }
 
-// Revoke revokes the access token a given session state.
+// Revoke revokes the refresh token from a given session state.
+// Revoking the refresh token implicitly revokes the access token, forcing re-authentication.
+// https://developer.okta.com/docs/guides/revoke-tokens/overview/
 func (p *OktaProvider) Revoke(s *sessions.SessionState) error {
 	// https://developer.okta.com/docs/api/resources/oidc/#revoke
-	params := url.Values{}
-	params.Add("client_id", p.ClientID)
-	params.Add("token", s.AccessToken)
 
-	err := p.oktaRequest("POST", p.RevokeURL.String(), params, []string{"action:revoke"}, nil, nil)
+	form := url.Values{}
+	form.Add("token", s.RefreshToken)
+	form.Add("token_type_hint", "refresh_token")
+	form.Add("client_id", p.ClientID)
+	form.Add("client_secret", p.ClientSecret)
+
+	err := p.oktaRequest("POST", p.RevokeURL.String(), form, []string{"action:revoke"}, nil, nil)
 
 	if err != nil && err != ErrTokenRevoked {
 		return err
 	}
 	logger := log.NewLogEntry()
 
-	logger.WithUser(s.Email).Info("revoked access token")
+	logger.WithUser(s.Email).Info("revoked refresh and access token")
 	return nil
 }