Hi, The OIDC spec only specifies how to deal with the authenticated session of the user (although access token is a part of the response). So in the OIDC logout, we simply deal with terminating the authenticated session of the user.
Revoking the token obtained along with OIDC login goes beyond the spec. Even in our current implementation, this is not something straightforward since we do not maintain a correlation between the id_token and the issued access token. However, we have an extension point introduced with [1] that can be used for a similar requirement during OIDC logout flow. Something to note is that even with this extension the correlation between id_token and access token needs to be handled by the extension developer. [1] https://github.com/wso2/product-is/issues/3227 Thanks, Farasath On Thu, Nov 1, 2018 at 1:58 PM gayan gunawardana <[email protected]> wrote: > Hi Devs, > > I followed exact instructions in IS 5.7.0 and got logout working. However > issued access token is valid even after logout (I have checked with token > introspection). Is that the correct behavior or any justification ? > > [1] https://docs.wso2.com/display/IS570/Session+Management+with+Playground > > Thanks, > Gayan > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
