Revoking Access/Refresh Tokens on User Logout

This topic has 3 replies, 3 voices, and was last updated 9 months, 2 weeks ago by Andrew Potter.

  • Author
  • #27760


    I’m evaluating the OIDC integration of OpenAM. What I’m currently missing is a real single-sign-out mechanism. The frontend session management, that is supported looks fragile and is not what I would expect from a secure implementation. The OIDC backchannel logout would be more in line with the requirements, but does not seem to be supported by OpenAM.

    So I tried to come up with a custom solution. Digging through the documentation, I found the option to write my own PostAuthentication plugin (implementing AMPostAuthProcessInterface), but while doing so, I struggle to find the right sources and basis.

    What I’m missing:

    a) Access to a maven repository with the necessary libraries (I looked through backstage and the articles describing access either don’t exist or don’t work, I don’t find the necessary repositories with my credentials).

    b) Access to the CTS Store in the plugin. I observered, that I could identify the authorization grants from the SSO Token, then with the authorization grant I can identify the refresh and access tokens. I assume, that if I delete these from the CTS store, the token will fails validation and thus the access would be denied.

    c) It would be helpful to get access to the source code to see what happens and better judge where I should look to implement a solution.

    I’d appretiate some help.

    Thank you


     William Hepler

    Thank you for the idea, but my intention is to issue the logout from the OpenAM side. That means: The user might have signed in into multiple applications. These applications can hold the refresh/access tokens in the user agent and/or the backend service. The user now signs out of the authentication system and when that happens, all tokens, that are not specially marked should be revoked. The endpoint you are referring to is for an application to sign out/revoke a single token and requires the matching client credentials.

    I found, that I can access the CTSPersistentStore in the implementation of the AMPostAuthProcessInterface by using the InjectorHolder and can delete all tokens for a user (via CoreTokenField.STRING_THREE) – I could also filter over the scopes. I’m now looking into an option to tie a refresh/access token to a session.

     Andrew Potter

    Using the latest version, a logout webhook implemented in authentication trees would probably be simpler. This article describes it:

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?