Closed rhinmass closed 5 years ago
I feel like I need to make a call to revoke and endSession but it's not clear if there are some methods in the framework (as there are for userInfo) or if I just have to build these post requests. For the latter, I think I am will need the accessToken for the endSession header. Any hints on how to get my hands on that from with the simple-web-apps controller?
I'm trying everything here, and could really use some pointers
I'm sorry this question was long, but I wanted to make sure whoever was kind enough to try to answer it would know all the things I've already tried. In summary, I need to revoke the access token and end the client session. (I can end the client session now through spring logout, but the token is still active so the next time I click log in, it logs right back in without prompting for creds.)
Answering my own questions :
1) To get the access token:
SecurityContext sc = SecurityContextHolder.getContext();
OIDCAuthenticationToken auth = (OIDCAuthenticationToken) sc.getAuthentication();
String accessToken = auth.getAccessTokenValue();
String refreshToken = auth.getRefreshTokenValue();
2 & 3) We need to send the client-id and client secret in order to revoke the access token. The access token is not sent in the header.
4 & 5) Had a typo in the post_logout_redirect_uri that I had registered with the client. It's working now.
I made the change to call logout from the inline form and send the CSRF via the post.
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1340
The UI appears logged out, however, as soon as I click Login I am again logged in, without having to enter any credentials. Also, looking at the network calls in Developer Tools, I don't see that endsession is being called.
Is there more to be done to complete the logout.