/planb-revocation

Plan B Revocation Service for JWT tokens

Primary LanguageJavaOtherNOASSERTION

Plan B Revocation Service

https://travis-ci.org/zalando/planb-revocation.svg?branch=master https://codecov.io/github/zalando/planb-revocation/coverage.svg?branch=master Documentation Status

Revocation service for JWT tokens issued by the Plan B OpenID Connect Provider.

(Planned) Features:

  • Provide HTTP endpoint to revoke one or more JWT tokens
  • Store revocation lists in Cassandra
  • Provide HTTP endpoint to the Plan B Agent in order to periodically poll for revocation lists (deltas).

Building

$ ./mvnw clean verify

Docker Image

$ ./mvnw clean package
$ sudo pip3 install scm-source
$ scm-source
$ docker build -t planb-revocation .

Setting up Local Dev Environment

Run a development Cassandra node:

$ docker run --name dev-cassandra -d -p 9042:9042 cassandra:2.1

Insert schema (you might need to wait a few seconds for Cassandra to boot):

$ docker run -i --link dev-cassandra:cassandra --rm cassandra:2.1 cqlsh cassandra < schema.cql

General cqlsh access to your dev instance:

$ docker run -it --link dev-cassandra:cassandra --rm cassandra:2.1 cqlsh cassandra
  cqlsh> DESCRIBE TABLE revocation.revocation; -- run some example query

Set up the following environment variables:

$ export TOKENINFO_URL=https://example.com/oauth2/tokeninfo  # required for REST API

Run the application against your local Cassandra:

$ java -jar target/planb-revocation-1.0-SNAPSHOT.jar --cassandra.contactPoints="127.0.0.1"

Testing the Endpoints

Revoking tokens by "sub" claim:

$ tok=... # some valid token accepted by the configured TOKENINFO_URL
$ curl -X POST \
     -H "Authorization: Bearer $tok" \
     -H 'Content-Type: application/json' \
     -d '{"type": "CLAIM", "data": {"claims": {"sub": "jdoe"}}}' \
     "http://localhost:8080/revocations"

Configuration

TOKENINFO_URL
OAuth2 token info URL (can point to Plan B Token Info), this is used to secure the /revocations REST endpoint.
CASSANDRA_CONTACT_POINTS
Comma separated list of Cassandra cluster IPs.
CASSANDRA_CLUSTER_NAME
Cassandra cluster name.
API_SECURITY_REVOKE_EXPR
Spring security expression, e.g. "#oauth2.hasScope('planb-revocation.write')"
REVOCATION_HASHING_SALT
Shared salt with Token Info. Used for hasing tokens for the Plan B Token Info.