Logout user after expiring Access token

By: harmanjeet singh user 10 May 2018 at 12:44 a.m. CDT

5 Responses
harmanjeet singh gravatar
I am using Oxd-Server Api for authentication with Gluu server. I get code and state on successful login , which I further used for getting access token and with the help of this token i get user information. It is working fine . Access token has its expiry time . I want that user will automatically logout from gluu server also after expiring Access token. How can I achieve this ??
Ubuntu 16.04
closed

Answers

By Aliaksandr Samuseu staff 10 May 2018 at 8:31 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Harmanjeet. After the access token has expired, make the app follow [this part](http://openid.net/specs/openid-connect-session-1_0.html#RPLogout) of session management spec to end user's session.

By harmanjeet singh user 14 May 2018 at 5:01 a.m. CDT

Copy
harmanjeet singh gravatar
For now when token expires it unable to get user info, in that case i get Logout url using getLogoutUri method and hit it so that user will logout form Gluu server

By Aliaksandr Samuseu staff 14 May 2018 at 3:25 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
>For now when token expires it unable to get user info, in that case i get Logout url using getLogoutUri method and hit it so that user will logout form Gluu server Isn't this what you can call "automatic way to log ou an user when their access token" expires (assuming you don't do it manually and it's done by some on-page script instead)? Otherwise could you explain what is your goal in more details? Overall, `ox-d` definitely doesn't provide such mechanics, so you'll need to invent some workarounds (as you seem already doing). It's expected that session at OP will either be ended by a call from an RP, or by a timeout of some kind. You can find out more about session timeouts [here](https://gluu.org/docs/ce/3.1.2/admin-guide/session/). Normally/by default `access token` will expire long before any kind timeout will happen, though you can adjust those values, even making your session to last the same amount of time as your `access token` does.

By harmanjeet singh user 14 May 2018 at 11:33 p.m. CDT

Copy
harmanjeet singh gravatar
In Configuration > JSON Configuration > oxAuth Configuration. there is one parameter **sessionIdLifetime** . for testing purpose i changed its value to 60 seconds. I was expecting that session will expire after 60 seconds and user will logout from oxtrust , but nothing happen like this.. Another parameter **endSessionWithAccessToken** , what does it used for??

By Aliaksandr Samuseu staff 15 May 2018 at 3:09 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
>I was expecting that session will expire after 60 seconds and user will logout from oxtrust , but nothing happen like this oxTrust is a separate application and has its own session. To test your scenario properly you should try to configure some SAML or OIDC SP/RP to use your Gluu instance and test session timeouts with flows originating from those remote services.

Post an answer