Home Forums Web Access Management (SSO and Federation) Oauth2 Logout … idp/oauth2/revoke is insufficient

Viewing 1 post (of 1 total)
  • Author
  • #1489
    peter elgee

    I have an OAuth2 authorization_code type middle tier using OpenIAM.
    When the user logs out, we issue a call to the web-serivce:
    and the OpenIAM reponse indicates that the token is indeed revoked:
    calling: http://xxxxx/idp/oauth2/revoke
    response: {‘status’: ‘SUCCESS’, ‘errorCode’: None, ‘errorText’: None, ‘fieldMappings’: None, ‘stacktraceText’: None, ‘responseValue’: None, ‘errorTokenList’: None, ‘failure’: False, ‘success’: True}

    My problem is that is the browser attempts to re-login immediately, OpenIAM does not post it’s login GUI, but
    immediately issues a code token to our oauthcallback, and allows our code to exchange the code for an access token
    This is presumably because of the Content-Ppovider specific token cashed in the browser.

    In general this may be advantageous, but for our application flow, we need to explicitly logout the use so that
    if the same browser (with the OpenIAM cookie associated with the OpenIAM server still cached) navigates to the
    OpenIAN auth server, i.e., {server_url}/idp/oauth2/token/authorize), the login dialogs are displayed.

    Is there something more profound than the ipd/oauth2/revoke web-service that will actually logout the user.

    • This topic was modified 1 year, 2 months ago by suneet_shah.
    • This topic was modified 1 year, 2 months ago by suneet_shah.
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.