Adds the logout handler /api/v0/auth/logout which does two things mainly
deletes the hydra session (in case the Principal is a browser user, otherwise no session info is availble for CLI)
revokes the refresh token (if present, access token otherwise) so they cannot be used anymore
Of course it also deletes the encrypted auth cookies.
Hydra admin url is used for the revoke session API invocation, here we rely on hydra implementation of this so I made explicit reference to hydra url since there is no need to keep it generic. In case we ever change from Hydra to another OIDC provider, we'll have to switch the logout implementation anyway.
This PR also fixes cookie deletion for the cookie manager, since a bug was present and it slipped in the PR it introduced it.
NB: The revoke token API invocation is based on the fact that the token endpoint auth method is set to client-secret-basic at client creation (against Hydra), and this is set in the admin-ui-operator right here.
If we ever change client-authentication to client-secret-post, this will mean that we will have to add client id and secret to the revoke token request body. I don't see a reason why we would do that, but the info is here for posterity.
This PR will benefit from solving issue #337 , which will be worked on right after this.
Description
Adds the logout handler
/api/v0/auth/logoutwhich does two things mainlyOf course it also deletes the encrypted auth cookies.
Hydra admin url is used for the revoke session API invocation, here we rely on hydra implementation of this so I made explicit reference to hydra url since there is no need to keep it generic. In case we ever change from Hydra to another OIDC provider, we'll have to switch the logout implementation anyway.
This PR also fixes cookie deletion for the cookie manager, since a bug was present and it slipped in the PR it introduced it.
NB: The revoke token API invocation is based on the fact that the token endpoint auth method is set to client-secret-basic at client creation (against Hydra), and this is set in the admin-ui-operator right here. If we ever change client-authentication to
client-secret-post, this will mean that we will have to add client id and secret to the revoke token request body. I don't see a reason why we would do that, but the info is here for posterity.This PR will benefit from solving issue #337 , which will be worked on right after this.