IAM

Expand all | Collapse all

Revoke OAuth token when logging out

  • 1.  Revoke OAuth token when logging out

    Posted 15 days ago
    We are attempting to revoke the OAuth token that is generated when logging into the website when a user logs out.  Using this blog (https://www.ibm.com/support/pages/changes-default-webseal-configuration-oauth-authentication) we set the single-signout-uri in the reverse proxy configuration.  However, I am seeing the following message in the AAC trace logs:  User did not authenticate with OAuth, skip OAuth logout.

    The user is logged out of the website, however the token is still valid to call an API.  How should we be doing this?

    ------------------------------
    Angela Klein
    ------------------------------


  • 2.  RE: Revoke OAuth token when logging out

    Posted 3 days ago
    Angela

    The logout endpoint is only for logging a user out when the webseal oauth-auth mechanism has been used to authenticate them, is this how you've been authenticated to WebSeal ?

    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------



  • 3.  RE: Revoke OAuth token when logging out

    Posted 3 days ago
    Would you clarify what you mean?  We are using OIDC and requesting a token during the login process through the AAC module.  If this way won't work for the logout and invalidating the token, is there another endpoint we should be calling on logout to revoke the token?

    ------------------------------
    Angela Klein
    ------------------------------



  • 4.  RE: Revoke OAuth token when logging out

    Posted 2 days ago
    A good calrification for oauth authentication and  session handling and logout with oauth token is here:

    https://philipnye.com/2014/07/29/isam-for-web-and-mobile-oauth-authentication-and-sessions


    In relation to how to programmatically revoke an oauth access or refresh token you can use the /sps/oauth/oauth20/revoke endpoint

    https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/oauth_revocation.html

    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------



  • 5.  RE: Revoke OAuth token when logging out

    Posted 2 days ago
    The philipnye article is the one that I followed to initially attempt to set this up.

    When we call the /revoke endpoint passing in the client id, client secret, and token, it gives us a 200 response code, but then I can still call and API with the token and get information back, so it believes the token is still valid.  I have tracing enabled but I'm not seeing anything in the logs with an error.

    ------------------------------
    Angela Klein
    ------------------------------



  • 6.  RE: Revoke OAuth token when logging out

    Posted 19 hours ago
    Angela

    have you verified, if you are using a non confidential client, that
    only_allow_conf_client_revoke = false
    in the pre-mapping rule ?

    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/oauth_revocation.html

    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------