Announcement Announcement Module
Collapse
No announcement yet.
Invalidate provider session Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Invalidate provider session

    We are using version 3.19.SS3 with Spring Security 3.0.3.

    We would like to not block access to the provider site when a user logs out of the consumer site.

    Is there a call to invalidate the provider's access token when the user logs out of the consumer application?

    Thanks

  • #2
    spring webflow migration from 1.0.4 to 2. 0

    Hi everyone,
    iam migrating my application from Spring-webflow.1.0.4 to spring-webflow.2.0
    iam getting compilation eroors that ApplicationView and ViewSelection not resolved please help me any other solution regarding this..

    Comment


    • #3
      Originally posted by [email protected] View Post
      Hi everyone,
      iam migrating my application from Spring-webflow.1.0.4 to spring-webflow.2.0
      iam getting compilation eroors that ApplicationView and ViewSelection not resolved please help me any other solution regarding this..
      Dude, this is the OAuth forum...pick the Web Flow forum if you have troubles with Web Flow: http://forum.springsource.org/index.php

      Comment


      • #4
        We would like to not block access to the provider site when a user logs out of the consumer site.
        Wait... I don't get it... I presume by your question that you want to invalidate the access token on the provider-side when the user logs out. Is that right?

        Is there a call to invalidate the provider's access token when the user logs out of the consumer application?
        The OAuth spec doesn't specify how a consumer can invalidate a provider access token, nor does it specify the lifecycle of the token. It's left up to the implementors to do that.

        Basically, you'll have to write custom code to invalidate the access token since the way to do that is custom to the provider.

        Comment


        • #5
          Thanks for the reply.

          Sorry, the first line should read "block access to the provider site when the user logs out of the consumer site".

          We currently found a workaround using the logout URL of the provider defined in the <form-login/> element. This destroys the session which seems to be storing the oauth token. So when the user logs out the consumer site, an HTTP GET is sent to the provider logout URL as well. Not very elegant.

          Originally posted by stoicflame View Post
          Wait... I don't get it... I presume by your question that you want to invalidate the access token on the provider-side when the user logs out. Is that right?



          The OAuth spec doesn't specify how a consumer can invalidate a provider access token, nor does it specify the lifecycle of the token. It's left up to the implementors to do that.

          Basically, you'll have to write custom code to invalidate the access token since the way to do that is custom to the provider.

          Comment

          Working...
          X