invalid_request error using revocation endpoint for OIDC configuration
search cancel

invalid_request error using revocation endpoint for OIDC configuration

book

Article ID: 226857

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

HTTP GET request is made to https://<AG Sevrer>.example.com/affwebservices/CASSO/oidc/sample_client/revoke
response is:
{"error": "invalid_request","error_description":"GET request is not allowed."}

Environment

Release : 12.8

Component : SITEMINDER FEDERATION END POINT

Cause

OIDC standard stipulates:
https://datatracker.ietf.org/doc/html/rfc7009

"The client requests the revocation of a particular token by making an
 HTTP POST request to the token revocation endpoint URL.  This URL
 MUST conform to the rules given in [RFC6749], Section 3.1.  Clients
 MUST verify that the URL is an HTTPS URL.
"

Using POST for passing the input parameter to revocation endpoint is more secure.

In SiteMinder and many other vendors, one will only find HTTP POST is accepted by revocation endpoint url.

SiteMinder documentation has examples for this.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/authentication-using-authorization-code-flow.html#concept.dita_00b756e30ce1599f89d9e9fb3e45f0491a4234e4_RevocationTokenEndpoint

Resolution

The solution is asking application owner to send HTTP POST request to revocation endpoint url instead of GET.

Additional Information

https://datatracker.ietf.org/doc/html/rfc7009

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/authentication-using-authorization-code-flow.html#concept.dita_00b756e30ce1599f89d9e9fb3e45f0491a4234e4_RevocationTokenEndpoint

Powered by Wolken Software