Open Marvedog opened 4 years ago
@Marvedog Thanks for the report. To help us track this down:
@aarongranick-okta Sorry, I may have been a bit unclear in my formulation. It is a general feature request that is not supported as of now as far as I can understand from the source code and the actual behavior of the library.
By remote session i mean that, the tokens access_token
, id_token
and refresh_token
are still valid. So if I, in my logout flow, call signOut()
, then all tokens are still valid and any remote endpoints can still be accessed by whoever has the tokens even though the client cannot.
So as mentioned in my initial description, shouldn't a signOut()
actually sign out the user by terminating the remote session and not just remove access to any remote endpoints for the client.
@Marvedog - We believe your desired behavior SHOULD be the actual behavior. Could you provide a few more details on how we can reproduce your scenario? (which platform, what sequence of steps)
I'm submitting this issue for the package(s):
I'm submitting a:
Current behavior
signOut does not terminate remote session.
Expected behavior
signOut terminates remote session, as recommended in owasp for example.
Extra information about the use case/user story you are trying to implement
Just adhering to standard security practice without resolving to complicated tricks. This seems pretty standard imo.
Environment
node -v
):