The philipnye article is the one that I followed to initially attempt to set this up.
When we call the /revoke endpoint passing in the client id, client secret, and token, it gives us a 200 response code, but then I can still call and API with the token and get information back, so it believes the token is still valid. I have tracing enabled but I'm not seeing anything in the logs with an error.
------------------------------
Angela Klein
------------------------------
Original Message:
Sent: Wed January 15, 2020 11:28 AM
From: Gianluca Gargaro
Subject: Revoke OAuth token when logging out
A good calrification for oauth authentication and session handling and logout with oauth token is here:
https://philipnye.com/2014/07/29/isam-for-web-and-mobile-oauth-authentication-and-sessions
In relation to how to programmatically revoke an oauth access or refresh token you can use the /sps/oauth/oauth20/revoke endpoint
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/oauth_revocation.html
------------------------------
Gianluca Gargaro
IBM
Roma
Original Message:
Sent: Tue January 14, 2020 01:18 PM
From: Angela Klein
Subject: Revoke OAuth token when logging out
Would you clarify what you mean? We are using OIDC and requesting a token during the login process through the AAC module. If this way won't work for the logout and invalidating the token, is there another endpoint we should be calling on logout to revoke the token?
------------------------------
Angela Klein
Original Message:
Sent: Tue January 14, 2020 01:13 PM
From: Gianluca Gargaro
Subject: Revoke OAuth token when logging out
Angela
The logout endpoint is only for logging a user out when the webseal oauth-auth mechanism has been used to authenticate them, is this how you've been authenticated to WebSeal ?
------------------------------
Gianluca Gargaro
IBM
Roma
Original Message:
Sent: Thu January 02, 2020 03:27 PM
From: Angela Klein
Subject: Revoke OAuth token when logging out
We are attempting to revoke the OAuth token that is generated when logging into the website when a user logs out. Using this blog (https://www.ibm.com/support/pages/changes-default-webseal-configuration-oauth-authentication) we set the single-signout-uri in the reverse proxy configuration. However, I am seeing the following message in the AAC trace logs: User did not authenticate with OAuth, skip OAuth logout.
The user is logged out of the website, however the token is still valid to call an API. How should we be doing this?
------------------------------
Angela Klein
------------------------------