From e39b6ca8bb24de71beb1a3d9b37521d166d44f2c Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sat, 7 Oct 2023 16:17:40 +0200 Subject: [PATCH] Fix revokation of token on logout In OAuth 2.0, you don't authenticate with the revocation endpoint using the token you are revoking, but rather the OAuth client credentials. --- snikket_web/prosodyclient.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py index 5ef9d83..a5ba1a8 100644 --- a/snikket_web/prosodyclient.py +++ b/snikket_web/prosodyclient.py @@ -1162,7 +1162,6 @@ class ProsodyClient: self._raise_error_from_response(resp) return True - @autosession async def revoke_token( self, *, @@ -1176,7 +1175,8 @@ class ProsodyClient: async def logout(self) -> None: try: - await self.revoke_token() + async with self._plain_session as session: + await self.revoke_token(session=session) except aiohttp.ClientError: self.logger.warn("failed to revoke token!", exc_info=True)