March 30, 2020 at 12:00 pm #27760matthiasblaesingParticipant
I’m evaluating the OIDC integration of OpenAM. What I’m currently missing is a real single-sign-out mechanism. The frontend session management, that is supported looks fragile and is not what I would expect from a secure implementation. The OIDC backchannel logout would be more in line with the requirements, but does not seem to be supported by OpenAM.
So I tried to come up with a custom solution. Digging through the documentation, I found the option to write my own PostAuthentication plugin (implementing AMPostAuthProcessInterface), but while doing so, I struggle to find the right sources and basis.
What I’m missing:
a) Access to a maven repository with the necessary libraries (I looked through backstage and the articles describing access either don’t exist or don’t work, I don’t find the necessary repositories with my credentials).
b) Access to the CTS Store in the plugin. I observered, that I could identify the authorization grants from the SSO Token, then with the authorization grant I can identify the refresh and access tokens. I assume, that if I delete these from the CTS store, the token will fails validation and thus the access would be denied.
c) It would be helpful to get access to the source code to see what happens and better judge where I should look to implement a solution.
I’d appretiate some help.
MatthiasMarch 30, 2020 at 6:30 pm #27765William HeplerParticipant
Have you looked at just calling the revoke endpoint
https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/#varlist-oauth2-token-revoke-endpointMarch 31, 2020 at 8:23 am #27766matthiasblaesingParticipant
Thank you for the idea, but my intention is to issue the logout from the OpenAM side. That means: The user might have signed in into multiple applications. These applications can hold the refresh/access tokens in the user agent and/or the backend service. The user now signs out of the authentication system and when that happens, all tokens, that are not specially marked should be revoked. The endpoint you are referring to is for an application to sign out/revoke a single token and requires the matching client credentials.
I found, that I can access the CTSPersistentStore in the implementation of the AMPostAuthProcessInterface by using the InjectorHolder and can delete all tokens for a user (via CoreTokenField.STRING_THREE) – I could also filter over the scopes. I’m now looking into an option to tie a refresh/access token to a session.April 14, 2020 at 10:40 am #27816Andrew PotterParticipant
Using the latest version, a logout webhook implemented in authentication trees would probably be simpler. This article describes it: https://developer.forgerock.com/docs/platform/how-tos/handling-authentication-session-life-cycle-notification-forgerock-access
You must be logged in to reply to this topic.