I am trying to implement OpenId Connect for SSO in one of my projects. However, I am a bit struggling with the case where I would like to validate OpenId JWT token on Resource Server side to make it stateless. If user tries to logout, authorization Server will know about the user logout (Accordingly OpenId Connect Session Management spec). But how should Authorization Server tell Resource Server that the user's token is not valid anymore? It is a case when user after log out out goes to Resource Server with his OpenId token and gets access. That is weird and I could not find any solution across Internet. Please help me to organize stateless security with central logout.
1
votes
I have found two related topics: stackoverflow.com/questions/27355808/… and stackoverflow.com/questions/32533285/… but non of them answer my question.
– Alex
The id_token or access token should be short lived, as the answer you already found says: stackoverflow.com/a/32536038/676335 Using short lived access_token, your project must make a call with refresh_token to renew it, and then the authorization server can refuse to give new access_token for logged out user.
– fiddur
Thank you for response. Unfortunately, it is an Implicit flow (Relying Party is AngularJS application). Accordingly to OpenId Connect spec. for this flow, refresh token should not be used at all, because it is insecure. That is why there are no answers, covering this problem. Any Ideas?
– Alex
2 Answers
0
votes
You can use Token Introspection endpoint to determine whether the access token passed is valid or not. The resource server can make a call to OP's introspection endpoint to validate the token before giving access to the resource. In order to effectively validate the token, the resource server should :
- Be a registered client with OP and have Same / similar Scope as SPA app (Implicit flow app) to validate the scopes passed to it and
- Have access to Introspection endpoint
The are more details in the above linked Spec for further understanding.
P.S. The answer that I wrote earlier has some other relevant references.
