You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At a high level, when a user wants to log out, the SP sends a logout request to the IDP. The IDP sends logout requests to all other SPs (except the one that made the request). The other SPs respond to the IDP, and the IDP responds to the users.
The spec says when an SP receives a logout request, it should invalidate the session. Now imagine the case where the implements it's local user session by issuing a signed token (i.e. JWT). There is effectively no way to invalidate a JWT once issued without introducing some kind of datastore you check against. the beauty of JWT is you don't have to read a database to auth a request.
Ugh!
So for now, the decision is to not implement logout
Any chance you could reconsider supporting logout? I'm not asking for full, but what about supporting sp-initiated logout. I see three possible paths and am advocating option 3 below:
full support of logout
support idp-initiated logout (as noted above this is silly)
support crewjam driven logout to support the service provider that is using crewjam to initiate logout
I could possibly help with a patch but am uncertain of where to start -- where public API would be added.
No description provided.
The text was updated successfully, but these errors were encountered: