title: Doorkeeper gem does not revoke tokens & uses wrong auth/auth method
Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the
1. Public clients making valid, unauthenticated calls to revoke a token
would not have their token revoked
2. Requests were not properly authenticating the *client credentials* but
were, instead, looking at the access token in a second location
3. Because of 2, the requests were also not authorizing confidential
clients' ability to revoke a given token. It should only revoke tokens
that belong to it.
The security implication is: OAuth 2.0 clients who "log out" a user expect
to have the corresponding access & refresh tokens revoked, preventing an
attacker who may have already hijacked the session from continuing to
impersonate the victim. Because of the bug described above, this is not the
case. As far as OWASP is concerned, this counts as broken authentication
MITRE has assigned CVE-2016-6582 due to the security issues raised. An
attacker, thanks to 1, can replay a hijacked session after a victim logs
out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a
compromised confidential client could "grief" other clients by revoking
their tokens (albeit this is an exceptionally narrow attack with little
- "< 1.2.0"
- ">= 4.2.0"