feat(oauthserver): add authorization list and revoke endpoints (#2232)

## Summary

This PR adds user-facing endpoints that allow users to view and revoke
their OAuth 2.1 client authorizations. This will allow users control
over which applications have access to their accounts.

  ## Changes

  ### New Endpoints

  #### `GET /user/oauth/authorizations`
  Lists all OAuth clients the authenticated user has authorized.

  **Response:**
  ```json
  {
    "authorized_clients": [
      {
        "client_id": "uuid",
        "client_name": "Example App",
        "client_uri": "https://example.com",
        "logo_uri": "https://example.com/logo.png",
        "scopes": ["read", "write"],
        "granted_at": "2025-10-29T12:00:00Z"
      }
    ]
  }
```

#### DELETE /user/oauth/authorizations?client_id={client_id}

Revokes authorization for a specific OAuth client.

 Actions performed:
  - Marks the user's consent as revoked
  - Deletes all active sessions associated with the OAuth client
  - Creates an audit log entry

  **Response**: 204 No Content on success

Author: cemalkilic

internal/api/api.go

@@ -261,6 +261,14 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 				r.Get("/authorize", api.LinkIdentity)
 				r.Delete("/{identity_id}", api.DeleteIdentity)
 			})
+
+			// OAuth grant management endpoints (only if OAuth server is enabled)
+			if globalConfig.OAuthServer.Enabled {
+				r.Route("/oauth/grants", func(r *router) {
+					r.Get("/", api.oauthServer.UserListOAuthGrants)
+					r.Delete("/", api.oauthServer.UserRevokeOAuthGrant)
+				})
+			}
 		})
 
 		r.With(api.requireAuthentication).Route("/factors", func(r *router) {

internal/api/apierrors/errorcode.go

@@ -100,4 +100,5 @@ const (
 
 	ErrorCodeOAuthClientNotFound        ErrorCode = "oauth_client_not_found"
 	ErrorCodeOAuthAuthorizationNotFound ErrorCode = "oauth_authorization_not_found"
+	ErrorCodeOAuthConsentNotFound       ErrorCode = "oauth_consent_not_found"
 )

internal/api/oauthserver/handlers.go

@@ -538,3 +538,133 @@ func (s *Server) handleRefreshTokenGrant(ctx context.Context, w http.ResponseWri
 func (s *Server) getTokenService() *tokens.Service {
 	return s.tokenService
 }
+
+// UserOAuthGrantResponse represents an OAuth grant that a user has authorized
+type UserOAuthGrantResponse struct {
+	ClientID   string    `json:"client_id"`
+	ClientName string    `json:"client_name,omitempty"`
+	ClientURI  string    `json:"client_uri,omitempty"`
+	LogoURI    string    `json:"logo_uri,omitempty"`
+	Scopes     []string  `json:"scopes"`
+	GrantedAt  time.Time `json:"granted_at"`
+}
+
+// UserOAuthGrantsListResponse represents the response for listing user's OAuth grants
+type UserOAuthGrantsListResponse struct {
+	Grants []UserOAuthGrantResponse `json:"grants"`
+}
+
+// UserListOAuthGrants handles GET /user/oauth/grants
+// Lists all OAuth grants that the authenticated user has authorized (active consents)
+func (s *Server) UserListOAuthGrants(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	user := shared.GetUser(ctx)
+
+	if user == nil {
+		return apierrors.NewForbiddenError(apierrors.ErrorCodeBadJWT, "authentication required")
+	}
+
+	db := s.db.WithContext(ctx)
+
+	// Get all active (non-revoked) consents for this user
+	consents, err := models.FindOAuthServerConsentsByUser(db, user.ID, false)
+	if err != nil {
+		return apierrors.NewInternalServerError("Error fetching OAuth grants").WithInternalError(err)
+	}
+
+	// Build response with client information
+	grants := make([]UserOAuthGrantResponse, 0, len(consents))
+
+	for _, consent := range consents {
+		// Fetch client details
+		client, err := models.FindOAuthServerClientByID(db, consent.ClientID)
+		if err != nil {
+			// Skip clients that no longer exist or are deleted
+			if models.IsNotFoundError(err) {
+				continue
+			}
+			return apierrors.NewInternalServerError("Error fetching client details").WithInternalError(err)
+		}
+
+		response := UserOAuthGrantResponse{
+			ClientID:   client.ID.String(),
+			ClientName: utilities.StringValue(client.ClientName),
+			ClientURI:  utilities.StringValue(client.ClientURI),
+			LogoURI:    utilities.StringValue(client.LogoURI),
+			Scopes:     consent.GetScopeList(),
+			GrantedAt:  consent.GrantedAt,
+		}
+
+		grants = append(grants, response)
+	}
+
+	response := UserOAuthGrantsListResponse{
+		Grants: grants,
+	}
+
+	return shared.SendJSON(w, http.StatusOK, response)
+}
+
+// UserRevokeOAuthGrant handles DELETE /user/oauth/grants?client_id=...
+// Revokes the user's OAuth grant for a specific client
+func (s *Server) UserRevokeOAuthGrant(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	user := shared.GetUser(ctx)
+
+	if user == nil {
+		return apierrors.NewForbiddenError(apierrors.ErrorCodeBadJWT, "authentication required")
+	}
+
+	clientIDStr := r.URL.Query().Get("client_id")
+	if clientIDStr == "" {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "client_id query parameter is required")
+	}
+
+	// Parse client_id as UUID
+	clientID, err := uuid.FromString(clientIDStr)
+	if err != nil {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "invalid client_id format")
+	}
+
+	db := s.db.WithContext(ctx)
+
+	// Find the active consent for this user and client
+	consent, err := models.FindActiveOAuthServerConsentByUserAndClient(db, user.ID, clientID)
+	if err != nil {
+		return apierrors.NewInternalServerError("Error finding consent").WithInternalError(err)
+	}
+
+	if consent == nil {
+		return apierrors.NewNotFoundError(apierrors.ErrorCodeOAuthConsentNotFound, "No active grant found for this client")
+	}
+
+	// Revoke the consent in a transaction
+	err = db.Transaction(func(tx *storage.Connection) error {
+		if terr := consent.Revoke(tx); terr != nil {
+			return terr
+		}
+
+		// Delete all sessions associated with this OAuth client for this user
+		// This will invalidate all refresh tokens for those sessions
+		if terr := models.RevokeOAuthSessions(tx, user.ID, clientID); terr != nil {
+			return terr
+		}
+
+		// Create audit log entry
+		if terr := models.NewAuditLogEntry(s.config.AuditLog, r, tx, user, models.TokenRevokedAction, "", map[string]interface{}{
+			"oauth_client_id": clientID.String(),
+			"action":          "revoke_oauth_grant",
+		}); terr != nil {
+			return terr
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return apierrors.NewInternalServerError("Error revoking grant").WithInternalError(err)
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}

internal/api/oauthserver/handlers_test.go

@@ -8,6 +8,7 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/gofrs/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
@@ -437,3 +438,228 @@ func (ts *OAuthClientTestSuite) TestHandlerValidation() {
 	require.Error(ts.T(), err)
 	assert.Contains(ts.T(), err.Error(), "invalid redirect_uri")
 }
+
+// Helper function to create a test user
+func (ts *OAuthClientTestSuite) createTestUser(email string) *models.User {
+	user, err := models.NewUser("", email, "password123", "authenticated", nil)
+	require.NoError(ts.T(), err)
+	require.NotNil(ts.T(), user)
+
+	err = ts.DB.Create(user)
+	require.NoError(ts.T(), err)
+
+	return user
+}
+
+// Helper function to create a test OAuth consent
+func (ts *OAuthClientTestSuite) createTestConsent(userID, clientID string, scopes []string) *models.OAuthServerConsent {
+	userUUID, err := uuid.FromString(userID)
+	require.NoError(ts.T(), err)
+
+	clientUUID, err := uuid.FromString(clientID)
+	require.NoError(ts.T(), err)
+
+	consent := models.NewOAuthServerConsent(userUUID, clientUUID, scopes)
+	require.NoError(ts.T(), models.UpsertOAuthServerConsent(ts.DB, consent))
+
+	return consent
+}
+
+// Helper function to create a test session for OAuth
+func (ts *OAuthClientTestSuite) createTestSession(userID, clientID string) *models.Session {
+	userUUID, err := uuid.FromString(userID)
+	require.NoError(ts.T(), err)
+
+	clientUUID, err := uuid.FromString(clientID)
+	require.NoError(ts.T(), err)
+
+	session, err := models.NewSession(userUUID, nil)
+	require.NoError(ts.T(), err)
+	session.OAuthClientID = &clientUUID
+
+	err = ts.DB.Create(session)
+	require.NoError(ts.T(), err)
+
+	return session
+}
+
+func (ts *OAuthClientTestSuite) TestUserListOAuthGrants() {
+	// Create test user
+	user := ts.createTestUser("[email protected]")
+
+	// Create test OAuth clients
+	client1, _ := ts.createTestOAuthClient()
+	client2, _ := ts.createTestOAuthClient()
+
+	// Create consents for the user
+	ts.createTestConsent(user.ID.String(), client1.ID.String(), []string{"read", "write"})
+	ts.createTestConsent(user.ID.String(), client2.ID.String(), []string{"read"})
+
+	// Create HTTP request
+	req := httptest.NewRequest(http.MethodGet, "/user/oauth/grants", nil)
+
+	// Add user to context (normally done by requireAuthentication middleware)
+	ctx := shared.WithUser(req.Context(), user)
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+
+	// Call handler
+	err := ts.Server.UserListOAuthGrants(w, req)
+	require.NoError(ts.T(), err)
+
+	// Check response
+	assert.Equal(ts.T(), http.StatusOK, w.Code)
+
+	var response UserOAuthGrantsListResponse
+	err = json.Unmarshal(w.Body.Bytes(), &response)
+	require.NoError(ts.T(), err)
+
+	// Should have 2 grants
+	assert.Len(ts.T(), response.Grants, 2)
+
+	// Verify client details are included
+	for _, grant := range response.Grants {
+		assert.NotEmpty(ts.T(), grant.ClientID)
+		assert.Equal(ts.T(), "Test Client", grant.ClientName)
+		assert.NotEmpty(ts.T(), grant.Scopes)
+		assert.NotEmpty(ts.T(), grant.GrantedAt)
+	}
+
+	// Check that client1 (with read and write scopes) is in the response
+	found := false
+	for _, grant := range response.Grants {
+		if grant.ClientID == client1.ID.String() {
+			found = true
+			assert.Contains(ts.T(), grant.Scopes, "read")
+			assert.Contains(ts.T(), grant.Scopes, "write")
+		}
+	}
+	assert.True(ts.T(), found, "client1 should be in the grants list")
+}
+
+func (ts *OAuthClientTestSuite) TestUserListOAuthGrantsEmpty() {
+	// Create test user with no grants
+	user := ts.createTestUser("[email protected]")
+
+	req := httptest.NewRequest(http.MethodGet, "/user/oauth/grants", nil)
+	ctx := shared.WithUser(req.Context(), user)
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+
+	err := ts.Server.UserListOAuthGrants(w, req)
+	require.NoError(ts.T(), err)
+
+	assert.Equal(ts.T(), http.StatusOK, w.Code)
+
+	var response UserOAuthGrantsListResponse
+	err = json.Unmarshal(w.Body.Bytes(), &response)
+	require.NoError(ts.T(), err)
+
+	// Should have 0 grants
+	assert.Len(ts.T(), response.Grants, 0)
+}
+
+func (ts *OAuthClientTestSuite) TestUserListOAuthGrantsNoAuth() {
+	// Test without user in context (unauthenticated)
+	req := httptest.NewRequest(http.MethodGet, "/user/oauth/grants", nil)
+	w := httptest.NewRecorder()
+
+	err := ts.Server.UserListOAuthGrants(w, req)
+	require.Error(ts.T(), err)
+	assert.Contains(ts.T(), err.Error(), "authentication required")
+}
+
+func (ts *OAuthClientTestSuite) TestUserRevokeOAuthGrant() {
+	// Create test user
+	user := ts.createTestUser("[email protected]")
+
+	// Create a client and consent
+	client, _ := ts.createTestOAuthClient()
+	ts.createTestConsent(user.ID.String(), client.ID.String(), []string{"read", "write"})
+
+	// Create a session for this OAuth client
+	session := ts.createTestSession(user.ID.String(), client.ID.String())
+
+	// Create HTTP request with query parameter
+	req := httptest.NewRequest(http.MethodDelete, "/user/oauth/grants?client_id="+client.ID.String(), nil)
+
+	// Add user to context
+	ctx := shared.WithUser(req.Context(), user)
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+
+	// Call handler - should succeed
+	err := ts.Server.UserRevokeOAuthGrant(w, req)
+	require.NoError(ts.T(), err)
+
+	// Check response
+	assert.Equal(ts.T(), http.StatusNoContent, w.Code)
+	assert.Empty(ts.T(), w.Body.String())
+
+	// Verify consent was revoked
+	consent, err := models.FindOAuthServerConsentByUserAndClient(ts.DB, user.ID, client.ID)
+	require.NoError(ts.T(), err)
+	assert.NotNil(ts.T(), consent.RevokedAt, "consent should be revoked")
+
+	// Verify session was deleted
+	deletedSession, err := models.FindSessionByID(ts.DB, session.ID, false)
+	assert.Error(ts.T(), err, "session should be deleted")
+	assert.Nil(ts.T(), deletedSession)
+}
+
+func (ts *OAuthClientTestSuite) TestUserRevokeOAuthGrantNotFound() {
+	// Create test user
+	user := ts.createTestUser("[email protected]")
+
+	// Create a client but don't create a consent
+	client, _ := ts.createTestOAuthClient()
+
+	// Create HTTP request with query parameter
+	req := httptest.NewRequest(http.MethodDelete, "/user/oauth/grants?client_id="+client.ID.String(), nil)
+
+	// Add user to context
+	ctx := shared.WithUser(req.Context(), user)
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+
+	// Call handler - should return error
+	err := ts.Server.UserRevokeOAuthGrant(w, req)
+	require.Error(ts.T(), err)
+	assert.Contains(ts.T(), err.Error(), "No active grant found")
+}
+
+func (ts *OAuthClientTestSuite) TestUserRevokeOAuthGrantInvalidClientID() {
+	// Create test user
+	user := ts.createTestUser("[email protected]")
+
+	// Create HTTP request with invalid client ID query parameter
+	req := httptest.NewRequest(http.MethodDelete, "/user/oauth/grants?client_id=invalid-uuid", nil)
+
+	// Add user to context
+	ctx := shared.WithUser(req.Context(), user)
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+
+	// Call handler - should return error
+	err := ts.Server.UserRevokeOAuthGrant(w, req)
+	require.Error(ts.T(), err)
+	assert.Contains(ts.T(), err.Error(), "invalid client_id format")
+}
+
+func (ts *OAuthClientTestSuite) TestUserRevokeOAuthGrantNoAuth() {
+	// Test without user in context (unauthenticated)
+	client, _ := ts.createTestOAuthClient()
+
+	req := httptest.NewRequest(http.MethodDelete, "/user/oauth/grants?client_id="+client.ID.String(), nil)
+
+	w := httptest.NewRecorder()
+
+	err := ts.Server.UserRevokeOAuthGrant(w, req)
+	require.Error(ts.T(), err)
+	assert.Contains(ts.T(), err.Error(), "authentication required")
+}