Menu
Let's assume there is an Identity Server which serves the purpose of logging in and out. Then you have an android application which uses OAuth 2.0 to log in and out via the IS4. Now when you log in, you will click the login button on the android app, be redirected via your web browser to the identity server where you log in and then you get redirected back to the app. Let's also assume all of this works and you get an access token at the end of the whole procedure.
The problem that I am having with is what the behavior should be to log you out. Now I understand on the android app you can simply clean up the access token and the refresh token and the user no longer has access anywhere in the app. However, on your browser, you are still logged in. So this is the part where I am lost.
To fully be logged out, I now have to redirect the user to the web browser to log out there as well, so that is now at least 2 logout clicks to actually log out. If I'm going with the proper design I should also have a confirmation window to mitigate certain attacks which now makes it 3 clicks to log out. And then after all of that where are you suppose to go? This is the part that troubles me. Should I leave you in the web browser or should I push you back on the app login screen?
Just to clarify my question as they are actually two:
709
Your identity provider knows the session and stores the tokens in it`s database. To really log-out in the sense of single-sign-off you need to logout at the identity provider.
Open-Id-Connect provides endpoints to make logout requests. See section 5 of the specification. https://openid.net/specs/openid-connect-session-1_0.html
111
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
