after these redirects, when I try to use the refresh token to obtain a new access token,
the API connect/token with grant_type=refresh_token returns "invalid_grant" which means that the token is not valid in this case
but when I call the endsession API from flutter_appauth, the revocation APIs are not triggered
thus, the refresh token is not revoked and can be used to obtain new access tokens
URLs appeared in the server logs when the endsession is called from mobile:
the webview is closed and the app proceed it's work
I thought maybe because the client_id is not passed in the endsession API, as the revocation APIs do require client_id
I tried to append the client_id in the additionalParameters but no updates were detected
I then tried to manually call revocation for the refresh token with client_id, It worked fine, when I tried to obtain a new access token an error was returned
Notes:
I am using identityserver4 & AuthorizationCode flow with PKCE
so is there anyway to do actually "End the session" and revoke any tokens for the current session?
Hello there, Does calling
endsession
trigger token revocation?In my web app, I tested the login & logout cycle the URLs triggered:
after these redirects, when I try to use the refresh token to obtain a new access token, the API connect/token with grant_type=refresh_token returns "invalid_grant" which means that the token is not valid in this case
but when I call the endsession API from
flutter_appauth
, the revocation APIs are not triggered thus, the refresh token is not revoked and can be used to obtain new access tokens URLs appeared in the server logs when the endsession is called from mobile:I thought maybe because the
client_id
is not passed in the endsession API, as the revocation APIs do requireclient_id
I tried to append theclient_id
in the additionalParameters but no updates were detectedI then tried to manually call revocation for the refresh token with client_id, It worked fine, when I tried to obtain a new access token an error was returned
Notes: I am using identityserver4 & AuthorizationCode flow with PKCE
so is there anyway to do actually "End the session" and revoke any tokens for the current session?