Merge pull request #2735 from wmathurin/dev

Revoke refresh token with a HTTP POST instead of a HTTP GET call

Author: wmathurin

libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java

@@ -143,6 +143,7 @@ public class OAuth2 {
     private static final String ASSERTION = "assertion";
     private static final String JWT_BEARER = "urn:ietf:params:oauth:grant-type:jwt-bearer";
     protected static final String OAUTH_AUTH_PATH = "/services/oauth2/authorize";
+    private static final String REVOKE_REASON = "revoke_reason";
 
     /** Endpoint path for Salesforce Identity API initialize headless, password-less login flow */
     protected static String OAUTH_ENDPOINT_HEADLESS_INIT_PASSWORDLESS_LOGIN = "/services/auth/headless/init/passwordless/login";
@@ -155,7 +156,7 @@ public class OAuth2 {
 
     private static final String OAUTH_DISPLAY_PARAM = "?display=";
     protected static final String OAUTH_TOKEN_PATH = "/services/oauth2/token";
-    private static final String OAUTH_REVOKE_PATH = "/services/oauth2/revoke?token=%s&revoke_reason=%s";
+    private static final String OAUTH_REVOKE_PATH = "/services/oauth2/revoke";
     private static final String LIGHTNING_DOMAIN = "lightning_domain";
     private static final String LIGHTNING_SID = "lightning_sid";
     private static final String VF_DOMAIN = "visualforce_domain";
@@ -470,15 +471,23 @@ public static TokenEndpointResponse refreshAuthToken(HttpAccess httpAccessor, UR
      * @param reason The reason the refresh token is being revoked.
      */
     public static void revokeRefreshToken(HttpAccess httpAccessor, URI loginServer, String refreshToken, LogoutReason reason) {
-        final String requestPath = String.format(OAUTH_REVOKE_PATH, refreshToken, reason.toString());
-        final Request request = new Request.Builder().url(loginServer.toString() + requestPath).get().build();
+        final Request request = buildRevokeRefreshTokenRequest(loginServer, refreshToken, reason);
         try {
             httpAccessor.getOkHttpClient().newCall(request).execute();
         } catch (IOException e) {
             SalesforceSDKLogger.w(TAG, "Exception thrown while revoking refresh token", e);
         }
     }
 
+    protected static Request buildRevokeRefreshTokenRequest(URI loginServer, String refreshToken, LogoutReason reason) {
+        final String requestUrl = loginServer.toString() + OAUTH_REVOKE_PATH;
+        final FormBody body = new FormBody.Builder()
+                .add(TOKEN, refreshToken)
+                .add(REVOKE_REASON, reason.toString())
+                .build();
+        return new Request.Builder().url(requestUrl).post(body).build();
+    }
+
     /**
      * Swaps a JWT for regular OAuth tokens. This is typically the first step after
      * receiving a JWT from a link. In addition, this will also call the identity

libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/auth/OAuth2Test.java

@@ -61,6 +61,7 @@
 import okhttp3.HttpUrl;
 import okhttp3.Request;
 import okhttp3.Response;
+import okio.Buffer;
 
 /**
  * Tests for OAuth2.
@@ -482,4 +483,36 @@ public void testGetOpenIDToken() {
                 TestCredentials.CLIENT_ID, TestCredentials.REFRESH_TOKEN);
         Assert.assertNotNull("OpenID token should not be null", openIdToken);
     }
+
+    /**
+     * Testing buildRevokeRefreshTokenRequest.
+     */
+    @Test
+    public void testBuildRevokeRefreshTokenRequest() throws Exception {
+        String refreshToken = "test_refresh_token_123";
+        OAuth2.LogoutReason reason = OAuth2.LogoutReason.USER_LOGOUT;
+        URI loginServer = new URI(TestCredentials.LOGIN_URL);
+
+        Request request = OAuth2.buildRevokeRefreshTokenRequest(loginServer, refreshToken, reason);
+
+        // Verify URL
+        String expectedUrl = TestCredentials.LOGIN_URL + "/services/oauth2/revoke";
+        Assert.assertEquals(expectedUrl, request.url().toString());
+
+        // Verify method
+        Assert.assertEquals("POST", request.method());
+
+        // Verify body contains expected parameters
+        String body = getRequestBodyAsString(request);
+        Assert.assertTrue(body.contains("token=" + refreshToken));
+        Assert.assertTrue(body.contains("revoke_reason=" + reason.toString()));
+    }
+
+    private String getRequestBodyAsString(Request request) throws IOException {
+        okio.Buffer buffer = new okio.Buffer();
+        if (request.body() != null) {
+            request.body().writeTo(buffer);
+        }
+        return buffer.readUtf8();
+    }
 }