Response code 404 not defined in swagger spec for /oauth2/revoke

[Crevil]

Describe the bug

Thank you for a great project and documentation. I ran into a bug (I think) while playing with the 5 minute tutorial.

When revoking an access token that is not found the hydra server returns a 404 response but this is not a defined response in the swagger specification. This leads to an error like response status code does not match any response statuses defined for this endpoint instead of just indicating that the token was not found (or whatever makes sense to disclose security wise).

Reproducing the bug

Start hydra

$ git clone https://github.com/ory/hydra.git
$ cd hydra

# start hydra
$ docker-compose -f quickstart.yml \
    -f quickstart-postgres.yml \
    up --build

In a new terminal revoke any fake token value.

$ docker-compose -f quickstart.yml exec hydra \
  hydra token revoke \
    --endpoint http://127.0.0.1:4445/ \
    --client-id my-client \
    --client-secret secret \
    a-value
The request failed with the following error message:
response status code does not match any response statuses defined for this endpoint in the swagger spec (status 404): {resp:0xc000932090}

Server logs

hydra_1          | time=2021-02-11T10:48:07Z level=info msg=started handling request http_request=map[headers:map[accept:application/json accept-encoding:gzip authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Go-http-client/1.1] host:127.0.0.1:4445 method:POST path:/oauth2/revoke query:<nil> remote:127.0.0.1:34420 scheme:http]
hydra_1          | time=2021-02-11T10:48:07Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json accept-encoding:gzip authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Go-http-client/1.1] host:127.0.0.1:4445 method:POST path:/oauth2/revoke query:<nil> remote:127.0.0.1:34420 scheme:http] http_response=map[status:404 text_status:Not Found took:176.4µs]

Server configuration

From contrib/quickstart/5-min/hydra.yml

serve:
  cookies:
    same_site_mode: Lax

urls:
  self:
    issuer: http://127.0.0.1:4444
  consent: http://127.0.0.1:3000/consent
  login: http://127.0.0.1:3000/login
  logout: http://127.0.0.1:3000/logout

secrets:
  system:
    - youReallyNeedToChangeThis

oidc:
  subject_identifiers:
    supported_types:
      - pairwise
      - public
    pairwise:
      salt: youReallyNeedToChangeThis

Expected behavior

Expected no error but instead just an acknowledgement of the revocation.

Environment

• Version:

$ docker-compose -f quickstart.yml exec hydra \
  hydra version
Version:    v1.9.2
Git Hash:   f0580e2581e202ec7299f45822db37228228aee9
Build Time: 2021-01-29T15:02:55Z

• Environment: Docker on maxOS

[aeneasr]

Thank you for the report, PRs and fixes appreciated!

[Benehiko]

The server endpoint specified is incorrect in your command to hydra token revoke. Instead of http://127.0.0.1:4445/ just make it http://127.0.0.1:4444/.

docker-compose -f quickstart.yml exec hydra \
  hydra token revoke \
  --endpoint http://127.0.0.1:4444/ \
  --client-id my-client \
  --client-secret secret \
  a-value   
Revoked OAuth 2.0 Access Token: a-value

Hydra server logs:

hydra_1          | time=2021-02-12T12:14:56Z level=info msg=started handling request http_request=map[headers:map[accept:application/json accept-encoding:gzip authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Go-http-client/1.1] host:127.0.0.1:4444 method:POST path:/oauth2/revoke query:<nil> remote:127.0.0.1:56522 scheme:http]
hydra_1          | time=2021-02-12T12:14:56Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json accept-encoding:gzip authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Go-http-client/1.1] host:127.0.0.1:4444 method:POST path:/oauth2/revoke query:<nil> remote:127.0.0.1:56522 scheme:http] http_response=map[status:200 text_status:OK took:151.791401ms]

[Crevil]

Ah, that is my mistake, I must have misunderstood the help texts.

Is there anything to do on the admin server then? I guess 404 makes sense if the endpoint is unknown to the admin server, but the swagger spec does not allow that.

[Benehiko]

That's alright, the five minute guide might not be too clear on which command requires which endpoint - admin or public. Will need to look at making it more clear.

Yes the admin endpoints are used for a couple of things, here is the documentation for the admin endpoints:

• https://www.ory.sh/hydra/docs/reference/api/#administrative-endpoints
• https://www.ory.sh/hydra/docs/production#exposing-administrative-and-public-api-endpoints

Regarding the swagger spec - @aeneasr ?

---

Just for extra clarification, the server runs two endpoints, one being public (4444) and the other admin (4445).
https://www.ory.sh/hydra/docs/reference/api/#revoke-oauth2-tokens

Here is the documentation specifying where the revoke endpoint is mounted to.
https://www.ory.sh/hydra/docs/reference/api/#revoke-oauth2-tokens

[Crevil]

The reference API documentation actually explains is pretty good I think. I used the hydra cli which states the following.

$ hydra token revoke -h
Revoke an access or refresh token

Usage:
  hydra token revoke <token> [flags]

Flags:
      --client-id string       Use the provided OAuth 2.0 Client ID, defaults to environment variable OAUTH2_CLIENT_ID
      --client-secret string   Use the provided OAuth 2.0 Client Secret, defaults to environment variable OAUTH2_CLIENT_SECRET
      --endpoint string        Set the URL where ORY Hydra is hosted, defaults to environment variable HYDRA_URL
  -h, --help                   help for revoke

Global Flags:
      --fail-after duration    Stop retrying after the specified duration (default 1m0s)
      --fake-tls-termination   fake tls termination by adding "X-Forwarded-Proto: https" to http headers
      --skip-tls-verify        Foolishly accept TLS certificates signed by unknown certificate authorities

For some reason I though to my self that revocation would be an admin concern, but with the reference docs it is pretty clear that it is a client concern. 👍

[aeneasr]

Thank you for clearing that up! We generally have a problem with the swagger responses in the CLI commands. The problem is that unspecified error codes (such as 404 - see example), or error responses which are not JSON but instead text (the default httprouter 404 handler in go just prints 404 Not Found) will cause the CLI to respond with gibberish.

This has lead to several bug reports in the past while actually the problem was a bad error response.

Maybe you have some ideas how we could improve this?