search

nuxt-community / auth-module

Zero-boilerplate authentication support for Nuxt 2
https://auth.nuxtjs.org
MIT License
1.93k stars 924 forks source link

Logout route not sending the access_token #1820

Open rickgoemans opened 1 year ago

rickgoemans commented 1 year ago

This week I've been doing updating our OAuth2 flow for the SPA with Laravel Passport since the password grant token is not recommended because you can't hide the client_secret.

For this reason we've decided to switch over to the "Authorization Code Grant with PKCE" (https://laravel.com/docs/9.x/passport#code-grant-pkce). We're using Nuxt with the auth module (https://auth.nuxtjs.org), which is configured as shown below:

auth: {
    plugins: [
        '~/plugins/auth.ts',
    ],
    redirect: {
        login: '/auth/login',
        logout: '/auth/logout-success',
        callback: '/auth/callback',
        home: '/dashboard',
    },
    strategies: {
        oauth2: {
            scheme: 'oauth2',
            endpoints: {
                authorization: `${process.env.AUTH_BASE_URL}authorize`,
                token: `${process.env.AUTH_BASE_URL}token`,
                logout: `${process.env.SPA_API_BASE_URL}auth/logout`,
                userInfo: `${process.env.SPA_API_BASE_URL}auth/me`,
            },
            responseType: 'code',
            grantType: 'authorization_code',
            accessType: 'offline',
            clientId: process.env.OAUTH_CLIENT_ID,
            scope: '*',
            codeChallengeMethod: 'S256',
        },
    },

What I find confusing is that the logout request that is being sent does not include the Authorization header (with Bearer ...). Does that mean that it's only supposed to go as a web route and therefore is stateful with a session and should logout the user's session that was set during the login phase to gather the code (oauth_auth_codes table in the database) which is needed to grab an access_token and refresh_token?

I assume the access_token and refresh_token have to be revoked to ensure somebody else could not use them if they could collect them somehow.

Another confusing/weird thing for me is that the session lifetime will probably be lower (by default 120 minutes in Laravel's config/session.php) than the token's lifetime (which is by default one year according to the docs (https://laravel.com/docs/9.x/passport#token-lifetimes) , resulting in the user already being logged out by exceeding the session limit while still having a valid access/refresh token.

Either I'm missing some crucial part or I've misconfigured something, but for me (with the current implementation), I'm worried and confused a lot.