Hi Fara, On Mon, Nov 5, 2018 at 12:24 PM Farasath Ahamed <[email protected]> wrote:
> Hi, > > The OIDC spec only specifies how to deal with the authenticated session of > the user (although access token is a part of the response). So in the OIDC > logout, we simply deal with terminating the authenticated session of the > user. > > Revoking the token obtained along with OIDC login goes beyond the spec. > Even in our current implementation, this is not something straightforward > since we do not maintain a correlation between the id_token and the issued > access token. > Agreed. access token is self contained entity probably nothing have to done with end user session. > > However, we have an extension point introduced with [1] that can be used > for a similar requirement during OIDC logout flow. Something to note is > that even with this extension the correlation between id_token and access > token needs to be handled by the extension developer. > it's a good idea to have extension point. Thanks Fara for the help. > > > [1] https://github.com/wso2/product-is/issues/3227 > > > Thanks, > Farasath > > On Thu, Nov 1, 2018 at 1:58 PM gayan gunawardana <[email protected]> > wrote: > >> Hi Devs, >> >> I followed exact instructions in IS 5.7.0 and got logout working. However >> issued access token is valid even after logout (I have checked with token >> introspection). Is that the correct behavior or any justification ? >> >> [1] >> https://docs.wso2.com/display/IS570/Session+Management+with+Playground >> >> Thanks, >> Gayan >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > Farasath Ahamed > Senior Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > -- Gayan
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
