Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token revocation when server side sessions are enabled #224

Open
josephdecock opened this issue Dec 26, 2024 · 0 comments
Open

Token revocation when server side sessions are enabled #224

josephdecock opened this issue Dec 26, 2024 · 0 comments
Labels
area/bff Core Backend-For-Frontend library
Milestone
bff-3.0.0

Comments

@josephdecock
Copy link
Member

We use extensibility points in the cookie handler to do two things when sessions end:

  • delete the server side session (via our ITicketStore implementation) and
  • revoke refresh tokens (via our PostConfigureApplicationCookieRevokeRefreshToken configuration)

These two features don't work together, because the cookie handler orchestrates them in the wrong order: it destroys the session (and the token with it) before it attempts to revoke the token, so revocation never occurs.

Need to investigate the best way to solve this.
Ideas:

  • Revoke refresh tokens from within the ticket or user session store
  • Revoke refresh tokens in the bff/logout endpoint
  • Consider if the SessionRevocationService (used on backchannel logout) can help.
@josephdecock josephdecock added the area/bff Core Backend-For-Frontend library label Dec 26, 2024
@josephdecock josephdecock added this to the bff-3.0.0 milestone Dec 26, 2024
@josephdecock josephdecock mentioned this issue Dec 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/bff Core Backend-For-Frontend library
Projects
None yet
Milestone
bff-3.0.0
Development

No branches or pull requests
1 participant
@josephdecock