toti1212
commented
5 years ago Hi @divick! An approach could be filtering Token by user and client_id.
Then, you can iterate on that Queryset and check if the jwt.decode(id_token, verify=False) that you have is the same that the iter token.id_token. If fit, you can delete it (?)🤔
How do I clear tokens once the user logs out? Without this, calling /openid/authorize/ with appropriate data like client_id, redirect_uri, scope and response_type doesn't ask for reauthentication, instead simply redirects back, as the token still exists.
If I override the OIDC_AFTER_END_SESSION_HOOK, then I only get the client and id_token but I cannot lookup Token to delete from id_token.
Also setting OIDC_SESSION_MANAGEMENT_ENABLE = True doesn't seem to make any difference. Possibly documentation around this could be improved.