Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token revocation when server side sessions are enabled #1691

Closed
josephdecock opened this issue Dec 26, 2024 · 3 comments
Closed

Token revocation when server side sessions are enabled #1691

josephdecock opened this issue Dec 26, 2024 · 3 comments
Assignees
@Erwinvandervalk
Labels
area/products/bff Related to all BFF state/wontfix This will not be worked on
Milestone
bff-3.0.0

Comments

@josephdecock
Copy link
Member

We use extensibility points in the cookie handler to do two things when sessions end:

  • delete the server side session (via our ITicketStore implementation) and
  • revoke refresh tokens (via our PostConfigureApplicationCookieRevokeRefreshToken configuration)

These two features don't work together, because the cookie handler orchestrates them in the wrong order: it destroys the session (and the token with it) before it attempts to revoke the token, so revocation never occurs.

Need to investigate the best way to solve this.
Ideas:

  • Revoke refresh tokens from within the ticket or user session store
  • Revoke refresh tokens in the bff/logout endpoint
  • Consider if the SessionRevocationService (used on backchannel logout) can help.
@josephdecock josephdecock added the area/products/bff Related to all BFF label Dec 26, 2024
@josephdecock josephdecock added this to the bff-3.0.0 milestone Dec 26, 2024
@josephdecock josephdecock mentioned this issue Dec 26, 2024
Merged
@damianh damianh transferred this issue from DuendeArchive/BFF Jan 6, 2025
@Erwinvandervalk
Copy link
Contributor

I'm not able to reproduce this issue so closing it for now.

@Erwinvandervalk Erwinvandervalk added the state/wontfix This will not be worked on label Feb 13, 2025
@Erwinvandervalk Erwinvandervalk self-assigned this Feb 13, 2025
@brockallen
Copy link
Member

Is this similar to the expired cookie issue that @bhazen just worked on in IS?

@bhazen
Copy link
Contributor

bhazen commented Feb 13, 2025

Is this similar to the expired cookie issue that @bhazen just worked on in IS?

It does similar. @Erwinvandervalk if you'd like me to walk you through the issue to which Brock is referring at some point so we can see if they are similar let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Erwinvandervalk Erwinvandervalk

Labels
area/products/bff Related to all BFF state/wontfix This will not be worked on
Projects
None yet
Milestone
bff-3.0.0
Development

No branches or pull requests
4 participants
@brockallen @josephdecock @bhazen @Erwinvandervalk