Revocation service for JWT tokens issued by the Plan B OpenID Connect Provider.
(Planned) Features:
- Provide HTTP endpoint to revoke one or more JWT tokens
- Store revocation lists in Cassandra
- Provide HTTP endpoint to the Plan B Agent in order to periodically poll for revocation lists (deltas).
$ ./mvnw clean verify$ ./mvnw clean package
$ sudo pip3 install scm-source
$ scm-source
$ docker build -t planb-revocation .Run a development Cassandra node:
$ docker run --name dev-cassandra -d -p 9042:9042 cassandra:2.1Insert schema (you might need to wait a few seconds for Cassandra to boot):
$ docker run -i --link dev-cassandra:cassandra --rm cassandra:2.1 cqlsh cassandra < schema.cqlGeneral cqlsh access to your dev instance:
$ docker run -it --link dev-cassandra:cassandra --rm cassandra:2.1 cqlsh cassandra
cqlsh> DESCRIBE TABLE revocation.revocation; -- run some example querySet up the following environment variables:
$ export TOKENINFO_URL=https://example.com/oauth2/tokeninfo # required for REST APIRun the application against your local Cassandra:
$ java -jar target/planb-revocation-1.0-SNAPSHOT.jar --cassandra.contactPoints="127.0.0.1"Revoking tokens by "sub" claim:
$ tok=... # some valid token accepted by the configured TOKENINFO_URL
$ curl -X POST \
-H "Authorization: Bearer $tok" \
-H 'Content-Type: application/json' \
-d '{"type": "CLAIM", "data": {"claims": {"sub": "jdoe"}}}' \
"http://localhost:8080/revocations"TOKENINFO_URL- OAuth2 token info URL (can point to Plan B Token Info), this is used to secure the
/revocationsREST endpoint. CASSANDRA_CONTACT_POINTS- Comma separated list of Cassandra cluster IPs.
CASSANDRA_CLUSTER_NAME- Cassandra cluster name.
API_SECURITY_REVOKE_EXPR- Spring security expression, e.g. "#oauth2.hasScope('planb-revocation.write')"
REVOCATION_HASHING_SALT- Shared salt with Token Info. Used for hasing tokens for the Plan B Token Info.