Open ThisIsMissEm opened 2 months ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Still relevant. @RomainLanz can we keep open this and the other ticket? https://github.com/poppinss/oauth-client/issues/4
One of the available endpoints on an OAuth 2, or OIDC, server is the ability to end the users' session and revoke the users' current access token. This is described in RFC7009. You can discover support for this via the
revocation_endpoint
related properties found via #4 in OAuth.In OIDC, the property is
end_session_endpoint
, defined here: OpenID Connect RP-Initiated Logout 1.0, there's additionally a back-channel logout method, which is defined in OpenID Connect Back-Channel Logout 1.0. The difference between the two is that in RP-Initiated Logout, there's a redirect flow, much like the flow used during authorization code grant flow, in Back-Channel Logout, the logout is performed via an API request with a "logout token".In this package, that'd mean implementing in the OAuth2Client a
getLogoutUrl
that is similar togetRedirectUrl
, where you'll also have aredirect_uri
parameter to return the user back to your application (RP) once logged out.