Ability to logout with token revocation #684
Description
At the moment, the only way a user can log out when using a12n-server-admin is via a 2 steps: selecting the dropdown menu from the navbar redirects the user to a12n-server's /logout page where clicking Logout button will POST to /logout to clear the session.
For an SPA-style application, to log out they should simply clear their own tokens. If it's in LocalStorage, delete it from there.
If we want to do a 'distributed log out', we really need to implement: https://openid.net/specs/openid-connect-frontchannel-1_0.html . I'm pretty sure we've had this discussion once before when you were working on the next-auth connector, where we hit a similar roadblock. I could have sworn we made a ticket for that but I don't see it.
In this scenario with the admin tool, think of a12n-server as 'log in with google'. If you use 'log in with google' on a 3rd-party site, and you log out at that site, you don't expect to be logged out from google instead as well.
That said, if you log out from the admin UI and not from the 'old' browser UI that does seem like a security problem. So maybe there's two issues:
- We need to implement OpenID front channel log out
- Maybe we need to put some restrictions on what you can do in the (old) Admin UI if you initiated a log in via a OAuth2 authorization_code flow.
Before that, the 'normal' way for you to log out is to just wipe your access/refresh token from your session store. One enhancement here could to be to also add support for OAuth2 revoke:
- Add support for OAuth2 token revocation https://oauth.net/2/token-revocation/
Discussion from:
Maybe related: