From 55f514897bf41ef99c3d586db8e0dda5224b535b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Commaille?= <zecakeh@tedomum.fr>
Date: Mon, 17 Feb 2025 11:28:01 +0100
Subject: [PATCH] refactor(oidc): Only revoke one token for logout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The server is supposed to revoke any token associated with the token that we revoke.

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
---
 .../src/authentication/oidc/cross_process.rs     |  9 +++------
 crates/matrix-sdk/src/authentication/oidc/mod.rs | 16 ++--------------
 2 files changed, 5 insertions(+), 20 deletions(-)

diff --git a/crates/matrix-sdk/src/authentication/oidc/cross_process.rs b/crates/matrix-sdk/src/authentication/oidc/cross_process.rs
index 5ba0344cbd1..1e0453c5f1d 100644
--- a/crates/matrix-sdk/src/authentication/oidc/cross_process.rs
+++ b/crates/matrix-sdk/src/authentication/oidc/cross_process.rs
@@ -611,14 +611,11 @@ mod tests {
 
         oidc.logout().await?;
 
-        // Both the access token and the refresh tokens have been invalidated.
+        // The access token has been invalidated.
         {
             let revoked = backend.revoked_tokens.lock().unwrap();
-            assert_eq!(revoked.len(), 2);
-            assert_eq!(
-                *revoked,
-                vec![tokens.access_token.clone(), tokens.refresh_token.clone().unwrap(),]
-            );
+            assert_eq!(revoked.len(), 1);
+            assert_eq!(*revoked, &[tokens.access_token]);
         }
 
         {
diff --git a/crates/matrix-sdk/src/authentication/oidc/mod.rs b/crates/matrix-sdk/src/authentication/oidc/mod.rs
index de19fc1dcc7..9b2a1d6b193 100644
--- a/crates/matrix-sdk/src/authentication/oidc/mod.rs
+++ b/crates/matrix-sdk/src/authentication/oidc/mod.rs
@@ -1476,28 +1476,16 @@ impl Oidc {
 
         let tokens = self.session_tokens().ok_or(OidcError::NotAuthenticated)?;
 
-        // Revoke the access token.
+        // Revoke the access token, it should revoke both tokens.
         self.backend
             .revoke_token(
-                client_credentials.clone(),
+                client_credentials,
                 revocation_endpoint,
                 tokens.access_token,
                 Some(OAuthTokenTypeHint::AccessToken),
             )
             .await?;
 
-        // Revoke the refresh token, if any.
-        if let Some(refresh_token) = tokens.refresh_token {
-            self.backend
-                .revoke_token(
-                    client_credentials.clone(),
-                    revocation_endpoint,
-                    refresh_token,
-                    Some(OAuthTokenTypeHint::RefreshToken),
-                )
-                .await?;
-        }
-
         if let Some(manager) = self.ctx().cross_process_token_refresh_manager.get() {
             manager.on_logout().await?;
         }