Skip to content
This repository has been archived by the owner on Nov 5, 2019. It is now read-only.

Revoking with the access token throws a TokenRevokeError #132

Closed
gzog opened this issue Feb 15, 2015 · 1 comment · Fixed by #134
Closed

Revoking with the access token throws a TokenRevokeError #132

gzog opened this issue Feb 15, 2015 · 1 comment · Fixed by #134

Comments

@gzog
Copy link

gzog commented Feb 15, 2015

The program tries to revoke the access and refresh tokens of a Google Analytics service.
The error occurs in credentials.revoke(), in the following snippet of code:

@require_GET
def logout(request):
    if request.app_user:
        from oauth2client.client import Credentials
        credentials = Credentials.new_from_json(request.app_user['credentials_json'])
        if not credentials.refresh_token:
            try:
                credentials.revoke(httplib2.Http())
            except Exception:
                # If credentials.revoke() doesn't work for some reason
                # use a plain http request as a fallback
                import requests
                response = requests.get(
                    credentials.revoke_uri + '?token=' + credentials.access_token)
        auth.logout(request)
        return HttpResponse()
    else:
        return HttpResponse(status=401)

The credentials.access_token is set and valid and the credentials.refresh_token is set to None.
The credentials.revoke() causes an TokenRevokeError but when I want to do the same thing using the requests library, it works perfectly.

requests.get(credentials.revoke_uri + '?token=' + credentials.access_token)

To better understand what I'm saying, here is a screenshot of when the above snippet gets executed:
oauth2client-revoke-error
@craigcitro
Copy link
Contributor

yep, it looks like the code only uses the refresh token for revocation -- we need to fall back to the access token if the refresh token isn't available.

craigcitro added a commit to craigcitro/oauth2client that referenced this issue Feb 17, 2015
@craigcitro
Fall back to using an access_token for revocation.
3afad73 
According to the [OAuth2
docs](https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke),
we can use either the refresh token or access token when revoking a token. If
we've lost the refresh token for some reason, we should fall back to revoking
via access token. (Note that if the access token has expired, this will still
raise, which is the correct behavior.)

Fixes googleapis#132.
@craigcitro craigcitro mentioned this issue Feb 17, 2015
Merged
craigcitro added a commit to craigcitro/oauth2client that referenced this issue Mar 17, 2015
@craigcitro
Fall back to using an access_token for revocation.
69c470c 
According to the [OAuth2
docs](https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke),
we can use either the refresh token or access token when revoking a token. If
we've lost the refresh token for some reason, we should fall back to revoking
via access token. (Note that if the access token has expired, this will still
raise, which is the correct behavior.)

Fixes googleapis#132.
craigcitro added a commit to craigcitro/oauth2client that referenced this issue Mar 17, 2015
@craigcitro
Fall back to using an access_token for revocation.
b574bc2 
According to the [OAuth2
docs](https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke),
we can use either the refresh token or access token when revoking a token. If
we've lost the refresh token for some reason, we should fall back to revoking
via access token. (Note that if the access token has expired, this will still
raise, which is the correct behavior.)

Fixes googleapis#132.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fall back to using an access_token for revocation. craigcitro/oauth2client
2 participants
@craigcitro @gzog