MobileFirst OAuth and Logout -
i have test application accesses 2 adapters:
- a javascript adapter protected securitytest referencing realm
- a java adapter method protected oauth scope corresponding same realm.
if follow sequence works expected:
- attempt access js adapter, challenged, authenticate, data.
- wl.client.isuserauthenticated() , wl.client.getuserinfo() behave expected
- logout using wl.client.logout()
- wl.client.isuserauthenticated() shows i'm not authenticated
- a second attempt access js adapter causes challenge, expeccted.
however, java adapter logout() seems not behave expected.
- starting no session, attempt access java adapter, challenge happens expected , data
- i can access js adapter without further challenge , wl.client.getuserinfo() calls gives expected results.
- wl.client.logout() appears work, in wl.client.isuserauthenticated() shows i'm not authenticated
- but call java adapter still works without further challenge
- a call js adapter result in challenge
if i'm running in browser simulator environment can destroy oauth session using command:
localstorage.removeitem("com.worklight.oauth.idtoken")
the question is:
should wl.client.logout() method have destroyed oauth session? if not api should using?
with oauth, logout 'works' differently. see following user documentation topic (search "logout"): http://www-01.ibm.com/support/knowledgecenter/sshs8r_7.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_security_model.html?lang=en
the login/logout api:
wlclient login/logout api enables user log in , log out of specific realm, updating server side security state. however, in new oauth-based security model, security credentials kept in access token on client side. result using api cause inconsistent state, example, in client logged out of realm on server side still holds valid token realm on client side. solve inconsistency, recommended re-obtain access token, using obtainauthorizationheaderforscope method, after successful login or logout.for example, consider client passed security checks realm1 , realm2, , later calls logout(realm2). in case, access token on client still contain security credentials both realm1 , realm2, , client use token access protected resources. refresh token, is, obtain token realm1 only, client calls obtainauthorizationheaderforscope without logged out realm realm2.
in javascript equivalent call is:
wlauthorizationmanager.obtainauthorizationheader("somerealm")
Comments
Post a Comment