Expand OAuth/OIDC docs to describe how token revocation in IdP is handled by Gloo Edge

[jameshbarton]

Describe the requested changes Expand our OAuth/OIDC docs to describe how token revocation in identity provider is handled by Gloo Edge. Answer questions like:

• Will token revocation be recognized immediately?
• If not, what triggers token re-evaluation and when?
• How can Gloo Edge users influence when re-evaluation occurs?

Link to any relevant existing docs

1. Top-level OAuth doc
2. Relevant API extauth ref doc, especially here and here

Additional context Internal customer discussion: https://solo-io.slack.com/archives/C02KABQFD0A/p1638370366077000

[sebastian-popa]

...actually maybe an even more concrete question - when the /logout configured in Gloo is configured, does that implementation also calls the revocation_endpoint (and/or end_session.. one) from the IdP as well? Or there should be a page somewhere behind the /logout which should call the revocation_endpoint (and end_session...) itself?

In our case, we use ForgeRock for IdP. The "well known" endpoints for it include: _"end_session_endpoint": "https://.....forgeblocks.com:443/am/oauth2/realm1/connect/endSession", "revocationendpoint": "https://.....forgeblocks.com:443/am/oauth2/realm1/token/revoke",

Does Gloo hit these endpoints, or we need to?

Thanks!

[jameshbarton]

Does Gloo hit these endpoints, or we need to?

Hey @sebastian-popa , The /logout endpoint should take care of session cleanup without you providing any extra application-level code.

[github-actions[bot]]

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.