GLUU Logout from all the browsers

By: Praveen Srinivasan user 10 Jan 2022 at 1:33 a.m. CST

3 Responses
Praveen Srinivasan gravatar
Hi Team, When the password is changed in GLUU it is not automatically logout. Please let us know if the below scenario is possible in GLUU. I've gone through https://gluu.org/docs/gluu-server/4.1/admin-guide/session/ and https://gluu.org/docs/gluu-server/4.1/operation/logout/ docs, but I couldn't find such details. **Scenario 1:** 1. Login in 2 browser with same credentials. 2. Change password from browser 1 GLUU with ***Change password option in Profile Page.*** 3. Browser 2 GLUU is not automatically logged out. Is it possible to make GLUU forcefully logout from all the browser automatically, if the password is changed via Change Password? **Scenario 2:** 1. Login in 2 browser with same credentials. 2. Requesting for change password via ***(SCIM API)*** 3. GLUU in both browsers are not automatically logged out. Is it possible to make GLUU forcefully logout from all the browser automatically, if the password is changed via SCIM API?
Gluu 4.2.1 Ubuntu 18.04
closed

Answers

By Yuriy Zabrovarnyy staff 10 Jan 2022 at 12:07 p.m. CST

Copy
Yuriy Zabrovarnyy gravatar
One of the possible ways is to use forgot password script which means full control on resetting functionality. Forgot password readme: https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/forgot_password/README.md Script has to be modified. On reset redirect to End Session call which is described in doc already read by you: https://gluu.org/docs/gluu-server/4.1/operation/logout/ 1. RP sends request to AS (which is authentication script under the hood) 2. `redirect_uri` has to point to AS's `/end_session` endpoint 3. configure `post_logout_redirect_uri` to redirect to desired uri. AS supports also Back Channel logout if it fits into your scenario https://openid.net/specs/openid-connect-backchannel-1_0.html

By Praveen Srinivasan user 10 Jan 2022 at 9:20 p.m. CST

Copy
Praveen Srinivasan gravatar
Hi @Yuriy.Zabrovarnyy Thanks for the details. Your scenario will work if I reset the password in same browser. But what if I logged in two browsers (Browser 1 and Browser 2), and I am resetting password in Browser 1. Will browser 2 automatically logged out? (like the way Microsoft, Google, etc,. doing)

By Yuriy Zabrovarnyy staff 11 Jan 2022 at 3:54 a.m. CST

Copy
Yuriy Zabrovarnyy gravatar
Nothing stops from : 1. fetching all users sessions 2. get involved clients 3. invoke front channel or back channel logout uri Which should cover multi-browser (multi-devices) scenario.

Post an answer