MaikuB
trigger tokens revocation
Hello there,
Does calling endsession trigger token revocation?
In my web app, I tested the login & logout cycle the URLs triggered:
- connect/revocation (for access token)
- connect/revocation (for refresh token)
- connect/endsession?post_logout_redirect_uri=https%3A%2F%2Fmyapp.homepage.com
- Account/Logout
- Account/LoggedOut
- https://myapp.homepage.com
after these redirects, when I try to use the refresh token to obtain a new access token, the API connect/token with grant_type=refresh_token returns "invalid_grant" which means that the token is not valid in this case
but when I call the endsession API from flutter_appauth, the revocation APIs are not triggered
thus, the refresh token is not revoked and can be used to obtain new access tokens
URLs appeared in the server logs when the endsession is called from mobile:
- connect/endsession?post_logout_redirect_uri=com.myapp.packagename%3A%2F%2Flogout%2F
- Account/Logout
- Account/LoggedOut
- the webview is closed and the app proceed it's work
I thought maybe because the client_id is not passed in the endsession API, as the revocation APIs do require client_id
I tried to append the client_id in the additionalParameters but no updates were detected
I then tried to manually call revocation for the refresh token with client_id, It worked fine, when I tried to obtain a new access token an error was returned
Notes: I am using identityserver4 & AuthorizationCode flow with PKCE
so is there anyway to do actually "End the session" and revoke any tokens for the current session?
