Revoking Access token when User log out in WSO2 Identity Server.
An Access Token is a credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON web token. They inform the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. [1]
Token Revokation is not part of either, the OAuth 2 standard nor the OpenId Connect standard. But there is an additional RFC (7009) that deals with this topic. In some cases, there can be some requirement for revoking the access token when user log out.
In WSO2 Identity Server also, by doing customization, you can revoke the access token when user log out.
We can implement a custom listener extending AbstractAuthenticationDataPublisher[2] and overriding the publishSessionTermination() to invoke the token revocation. However, there are some cons also with this approach.
- At termination time, we don’t have a way to identify which token issued for this session. If we revoke all the tokens of the logging out user, it will revoke any tokens from other active concurrent sessions also.
- To overcome the above issue, we also need to override the publishSessionCreation() and store the correlation information in a separate database table, and revoke only the matching tokens at session termination.
Writing the data publisher
Create a new class extending the AbstractAuthenticationDataPublisher. Inside the method publishSessionTermination(), you need to write the logic to revoke all the issued tokens for the logged-out user.
In this implementation, if a user logout, all the access tokens will be revoked. If you want to revoke only the particular access token correlates to that particular user session. then by overiding the publishSessionCreation() and store the correlation information in a separate database table, and revoke only the matching tokens at session termination.
You can use the following code segment to revoke tokens of an authorized user. Also sample code is available in in OAuth source code as well [3].
Writing the OGSi Service component
You need to write a service component and register the newly created listener as an OSGi service. Create another class as CustomAuthenticationDataPublisherServiceComponent. Note that in the activate() method, we need to register our custom listener class.
Adding pom file
Deploying the new component
Compile the source using “mvn clean install” command and put the .jar file created in the target directory to below location.
<IS_HOME>/repository/component/dropins/Adding Event Listener
The final step is to add an event listener to the authentication flow so that our custom token revocation listener gets invoked. Open the
<IS_HOME>/repository/conf/identity/identity.xml fileusing a text editor and find below configuration.
Add another event listener tag of type AbstractIdentityMessageHandler under <EventListeners> and change the name to our custom data publisher. Make sure to set the enable=true property as well.
<EventListener type=”org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler” name=”org.wso2.custom.data.publisher.local.CustomSessionDataPublisherImpl” orderId=”12" enable=”true”/>Now restart the server and try out the scenario and verify whether the tokens get revoked properly upon user logging out.
Try it out
- Create a service provider in the management console of Identity server
- Get an access token using a OAuthgrant type
https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=ZrZd4nf1TWmLxGHA8fhz8PJQX8Macurl -k -v — user vsm78pNKfd36vZac5nNspOjRDS8a:TL5fYE46yD4izy_L66r5Q9vFNzka -d “grant_type=authorization_code&code=b8972e6c-458e-3891–93ce-f2b26b0714f0&redirect_uri=http://localhost:8080/playground2/oauth2client&scope= “ https://localhost:9443/oauth2/token
- Access the /introspect endpoint and validate the access token issued[4]
curl -k -u admin:admin -H ‘Content-Type: application/x-www-form-urlencoded’ -X POST — data ‘token=be462f75–31ed-39c4-a030-edc1fc123e4d’ https://localhost:9443/oauth2/introspect- Invoke the /oidc logout endpoint or /commonAuthLogout endpoint from browser to logout the user
https://loclahost:9443/oidc/logouthttps://localhost:9443/commonauth?commonAuthLogout=true&type=oidc&sessionDataKey=1234567&commonAuthCallerPath=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&relyingParty=playground3
- Now user is logged out
- Invoke the /introspect endpoint with the access token issued. you will get a response as below.
{'active':false}- If you try to authorize again, you will get a new access token when you invoke /token endpoint.
