Menu
▾
▴
Re: [Unity-idm-discuss] Revoke Tokens from oauth2 authenticator Unity
|
From: Krzysztof B. <kb...@un...> - 2020-05-13 08:04:23
|
Hi Tim,
W dniu 12.05.2020 o 11:26, Tim Kreuzer pisze:
> Hey,
>
> we're using one webservice and two Unitys. One Unity is configured as
> oauth2 authenticator for the other.
>
> Configuration for the <second_unity> (<first_unity_conf>:
> unityServer.core.authenticators.hdfaai.configurationFile):
> ---
> unity.oauth2.client.providers.hbp.type=unity
> unity.oauth2.client.providers.hbp.clientId=...
> unity.oauth2.client.providers.hbp.clientSecret=...
> unity.oauth2.client.providers.hbp.openIdConnect=true
> unity.oauth2.client.providers.hbp.httpClientHostnameChecking=WARN
> unity.oauth2.client.providers.hbp.httpClientTruststore=MAIN
> unity.oauth2.client.providers.hbp.name=Helmholtz
> unity.oauth2.client.providers.hbp.openIdConnectDiscoveryEndpoint=
> https://<second_unity>/oauth2/.well-known/openid-configuration
> unity.oauth2.client.providers.hbp.scopes=email openid display_name
> single-logout
> unity.oauth2.client.providers.hbp.translationProfile=tr-hdfaai-input
> ---
>
> If a user logs into my webservice and uses the <second_unity> as
> authenticator I will receive an accesstoken/refreshtoken at my
> webservice. I'm able to revoke these tokens when the user logs out.
>
> But additionally two tokens are generated at the <second_unity>. Is
> there a way to let the <first_unity> revoke these tokens? So that all 4
> tokens, generated for this user (two on each Unity), will be revoked?
>
>
> The Request I make to revoke the tokens is:
>
> POST https://<first_unity_oauth_endpoint>/revoke
> Headers:
> {
> 'Content-Type': 'application/x-www-form-urlencoded'
> }
> Body:
> {
> 'client_id': '...',
> 'logout': 'true',
> 'token_type_hint': 'refresh_token', # or access_token
> 'token': '...'
> }
>
>
>
> If that's not possible: Is there a way to receive the tokens from the
> <second_unity>? So that I can revoke them separately?
Not really :/
What you are asking about it SLO for OAuth. There are defined protocols
to achieve this (I'm aware of three...) all in draft state. This is
because typically OAuth is used by social identity providers, and when
logging out from your app, you shouldn't be logged out from Google/FB/MS
or any other of those providers fully not realted to the app. You can
achieve such behavior with full Unity support when using SAML.
Still, we heard this already once and I think we had this issue with one
setup internally. I'll open a ticket to evaluate the current state of
the drafts and see if we can have one of them implemented. Still this
will work only in cases when you have a compatible provider - maybe even
only in unity <-> unity setup.
Cheers,
Krzysztof
|
