[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forgerock-openam-dev
Subject:    [OpenAM-dev] OAuth2 provider and Single Logout
From:       majorpetya () sch ! bme ! hu (=?ISO-8859-1?Q?Major_P=E9ter?=)
Date:       2013-12-05 16:31:21
Message-ID: 52A0AA59.9050203 () sch ! bme ! hu
[Download RAW message or body]

This is not a development related question, please send your mail to 
openam at forgerock.org ;)

2013.12.05. 16:22 keltez?ssel, Christian Metzler ?rta:
> Hi,
>
> I am evaluating OpenAM as SSO solution for our project. My setup
> currently contains a IDP and OAuth2 provider on the same host.
> The reason for using OAuth2 is to support a native JavaScript client
> application as well as a desktop application which uses the
> Authorization Code Grant.
> What I also want to realize is a Single Logout (SLO) behavior.
> As OAuth2 does not support a SLO I thought about developing a Post
> Authentication Plugin and use the onLogout method to revoke all tokens
> belonging to the users which logs out - which would probably work with
> the REST endpoint of OpenAM.
> Unfortunately the documentations says, that onLogout will not be called
> if the session expires. For the JavaScript client this would be no
> problem, because the lifetime of access tokens will be about 5 minutes
> and without a valid SSO session, the client won't get a new access token.
> The real problem comes with the native desktop application, which should
> use the refresh token to obtain a new access token. So in worst case,
> the session expires, but the refresh token is still valid for some
> hours. So the user will be still able to use the desktop application.
> So my question is: Is there a way to trigger the session timeout and
> then also use a similar workflow as described in the onLogout procedure?
> Or are there any other suggestions, how to solve this?
>
>
> Kind regards and thank you,
>
> Christian

[prev in list] [next in list] [prev in thread] [next in thread]