How are sessions managed by OpenIG?

This topic has 2 replies, 2 voices, and was last updated 6 years, 5 months ago by Miguel F.

  • Author
    Posts
  • #8414
     Miguel F
    Participant

    Hi,

    I have some doubts about how OpenIG manages sessions (HttpSessions) used to implement the ‘context’ and how they are invalidated / disposed after a user logs out.
    I read OpenIG 4 documentation but I was not able to found it.

    According to the documentation (here: http://openig.forgerock.org/doc/bootstrap/gateway-guide/#load-balancing) when OpenIG needs to create a context (for instance if you need to use OAuth2ClientFilters or OAuth2ResourceServerFilters, the context is hold in-memory in the instance server that runs OpenIG. In order to hold the context it relies on HttpSessions in the container.

    In my case, for instance, using OAuth2ClientFilters I guess it will create an HttpSession per user to hold the context (it will store the OAuth2 token for this user and client).

    My question are:

    1. How is this connected to Logout? When a user logs out it will be desirable that OpenIG destroys the user context (invalidating the HttpSession) both for performance and security reasons.
      In many cases it will not be acceptable just to rely on HttpSession timeout so the session is invalidated, specially when the load of users is very big.
    2. Probably we will implement ‘Logout’ calling the OpenAM REST logout endpoint. Is there a way to set OpenIG / OpenAM so that once the logout is performed in the OpenAM server this is automatically propagated to OpenIG so the session is invalidated there also?

    I would appreaciate any help with this.

    Thanks so much

    #8455

    OAuth2ClientFilter supports a /openid/logout endpoint that will de-authenticate the current session locally (if you go back to IG with the same browser/session, you will be redirected again to AM, or being shown the nascar page).
    Note that it will only clear from the session things stored by this filter (it won’t destroy the whole Http Session).

    See https://backstage.forgerock.com/#!/docs/openig/4/reference#OAuth2ClientFilter

    #8461
     Miguel F
    Participant

    Thanks Guillaume, that was helpful!
    I will use this client endpoint that logs out from OpenIG passwing an URL to my Logout service as the link you posted shows.

    Thanks for your help

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?