Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Logout #1024

Open
wellingtonoliveira96 opened this issue Jan 17, 2024 · 3 comments
Open

Logout #1024

wellingtonoliveira96 opened this issue Jan 17, 2024 · 3 comments

Comments

@wellingtonoliveira96
Copy link

Hello,

It's my first time working with ouath and the oauth2-client. I couldn't find anything about user logout in the library docs.

I'm using the GenericProvider to connect using a work routes for authentication(there isn't a own provider). So in the docs of my work oauth guide they talk about a logout using a combination of:

url + token_hint + the return page. Where:

The url is the route of logout
The token_hint is the token of the user, used to eliminate the requirement of logout confirmation by the user
The return page is the page that will load in case of well succeded logout

I've tried some implementations but I didn't have success in the implementation.

@ramsey
Copy link
Contributor

ramsey commented Jan 26, 2024

I don't believe OAuth itself defines any kind of logout functionality, which is why oauth2-client doesn't provide any logout mechanisms. Tokens either expire or they don't. If they do expire, OAuth provides a mechanism to refresh them, but not all providers implement token refresh.

If OAuth did define a logout, it would probably involve some manner of making a request to immediately invalidate the token so that it can't be reused on subsequent requests. Many services already provide this kind of functionality, but the user would need to log in to their account at the provider to revoke the tokens issued to other services. Most services (I've seen) do not provide token revocation through their APIs.

@sjordan1975
Copy link

@ramsey
Added as a point of discussion

I've just started implementing OAuth integration with the Calendly API and they do provide a token revoke endpoint in their API (see https://developer.calendly.com/api-docs/0c80c89b5e2e1-revoke-access-refresh-token).

Might revoke be up for consideration in the client library?

@ShawnCZek
Copy link

@sjordan1975: This has been discussed in the past; see #479.

However, I agree that it would be nice if the OAuth2 Client at least provided an interface for token revocation so the client libraries do not have to completely reimplement a new request type as I did for Discord (wohali/oauth2-discord-new#45).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants