Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logout route not sending the access_token #1820

Open
rickgoemans opened this issue Jan 17, 2023 · 0 comments
Open

Logout route not sending the access_token #1820

rickgoemans opened this issue Jan 17, 2023 · 0 comments
Labels
question

Comments

@rickgoemans
Copy link

This week I've been doing updating our OAuth2 flow for the SPA with Laravel Passport since the password grant token is not recommended because you can't hide the client_secret.

For this reason we've decided to switch over to the "Authorization Code Grant with PKCE" (https://laravel.com/docs/9.x/passport#code-grant-pkce). We're using Nuxt with the auth module (https://auth.nuxtjs.org), which is configured as shown below:

auth: {
	plugins: [
		'~/plugins/auth.ts',
	],
	redirect: {
		login: '/auth/login',
		logout: '/auth/logout-success',
		callback: '/auth/callback',
		home: '/dashboard',
	},
	strategies: {
		oauth2: {
			scheme: 'oauth2',
			endpoints: {
				authorization: `${process.env.AUTH_BASE_URL}authorize`,
				token: `${process.env.AUTH_BASE_URL}token`,
				logout: `${process.env.SPA_API_BASE_URL}auth/logout`,
				userInfo: `${process.env.SPA_API_BASE_URL}auth/me`,
			},
			responseType: 'code',
			grantType: 'authorization_code',
			accessType: 'offline',
			clientId: process.env.OAUTH_CLIENT_ID,
			scope: '*',
			codeChallengeMethod: 'S256',
		},
	},

What I find confusing is that the logout request that is being sent does not include the Authorization header (with Bearer ...). Does that mean that it's only supposed to go as a web route and therefore is stateful with a session and should logout the user's session that was set during the login phase to gather the code (oauth_auth_codes table in the database) which is needed to grab an access_token and refresh_token?

I assume the access_token and refresh_token have to be revoked to ensure somebody else could not use them if they could collect them somehow.

Another confusing/weird thing for me is that the session lifetime will probably be lower (by default 120 minutes in Laravel's config/session.php) than the token's lifetime (which is by default one year according to the docs (https://laravel.com/docs/9.x/passport#token-lifetimes) , resulting in the user already being logged out by exceeding the session limit while still having a valid access/refresh token.

Either I'm missing some crucial part or I've misconfigured something, but for me (with the current implementation), I'm worried and confused a lot.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rickgoemans