IBM Security Verify

Expand all | Collapse all

Revoke OAuth token when logging out

  • 1.  Revoke OAuth token when logging out

    Posted Thu January 02, 2020 04:04 PM
    We are attempting to revoke the OAuth token that is generated when logging into the website when a user logs out.  Using this blog (https://www.ibm.com/support/pages/changes-default-webseal-configuration-oauth-authentication) we set the single-signout-uri in the reverse proxy configuration.  However, I am seeing the following message in the AAC trace logs:  User did not authenticate with OAuth, skip OAuth logout.

    The user is logged out of the website, however the token is still valid to call an API.  How should we be doing this?

    ------------------------------
    Angela Klein
    ------------------------------


  • 2.  RE: Revoke OAuth token when logging out

    Posted Tue January 14, 2020 01:13 PM
    Angela

    The logout endpoint is only for logging a user out when the webseal oauth-auth mechanism has been used to authenticate them, is this how you've been authenticated to WebSeal ?

    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------



  • 3.  RE: Revoke OAuth token when logging out

    Posted Tue January 14, 2020 01:18 PM
    Would you clarify what you mean?  We are using OIDC and requesting a token during the login process through the AAC module.  If this way won't work for the logout and invalidating the token, is there another endpoint we should be calling on logout to revoke the token?

    ------------------------------
    Angela Klein
    ------------------------------



  • 4.  RE: Revoke OAuth token when logging out

    Posted Wed January 15, 2020 11:29 AM
    A good calrification for oauth authentication and  session handling and logout with oauth token is here:

    https://philipnye.com/2014/07/29/isam-for-web-and-mobile-oauth-authentication-and-sessions


    In relation to how to programmatically revoke an oauth access or refresh token you can use the /sps/oauth/oauth20/revoke endpoint

    https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/oauth_revocation.html

    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------



  • 5.  RE: Revoke OAuth token when logging out

    Posted Thu January 16, 2020 04:34 PM
    The philipnye article is the one that I followed to initially attempt to set this up.

    When we call the /revoke endpoint passing in the client id, client secret, and token, it gives us a 200 response code, but then I can still call and API with the token and get information back, so it believes the token is still valid.  I have tracing enabled but I'm not seeing anything in the logs with an error.

    ------------------------------
    Angela Klein
    ------------------------------



  • 6.  RE: Revoke OAuth token when logging out

    Posted Fri January 17, 2020 12:23 PM
    Angela

    have you verified, if you are using a non confidential client, that
    only_allow_conf_client_revoke = false
    in the pre-mapping rule ?

    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/oauth_revocation.html

    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------



  • 7.  RE: Revoke OAuth token when logging out

    Posted Mon January 20, 2020 12:11 PM
    Yes I have.  That is what I have it set to.

    ------------------------------
    Angela Klein
    ------------------------------