I'm trying to understand how to implement the logout feature in a Single Sign On architecture using Json Web Tokens.
Let's say we have :
example1.com
example2.com
authserver.com
When the user has to authenticate on example1.com
, he is redirected to authserver.com
which validates the user credentials, creates a signed JWT token and redirects the user back to example1.com
with this token. example1.com
will then set a cookie (or a LocalStorage key) and the user will be authenticated on example1.com
, for as long as the token is not expired. No more call to authserver.com
is required to identify the user.
The user then goes to example2.com
, which participates in the SSO architecture. The user needs to be authenticated there too, so example2.com
also redirects the user to authserver.com
which recognizes the user (using a cookie it has set the first time), creates a new JWT token and automatically redirects the user back to example2.com
. example2.com
will then set a cookie (or a LocalStorage key) and the user will be authenticated on example2.com
, for as long as the token is not expired. No more call to authserver.com
is required to identify the user.
Now, how can a "logout" feature be implemented?
If the user logs out on example1.com
, the JWT token on example1.com
is deleted and the user shouldn't be authenticated there anymore. But as soon as he tried to reach a protected area, example1.com
will redirect him to authserver.com
, the user will be recognized and automatically logged in again... Even if he just logged out!
Quetion 1) So I guess that when the user logs out on example1.com
, a call to authserver.com
must be done to remove the cookie set by authserver.com
so the user won't be logged in automatically anymore?
Quetion 2) If so, what about example2.com
? Should the user still be authenticated there? If not, what is the suggested flow so example2.com
knows that the JWT token it has for the user isn't valid anymore?