[mitreid-connect] Logout
Luiz Omori
luiz.omori at duke.edu
Mon Mar 27 09:51:05 EDT 2017
Hi,
There are at least two tickets related to logout: Issue 856<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/856>, Issue 891<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/891> and they are still open. So, what is the recommended logout process for the current implementation?
Our biggest problem at this point is the fact that even if the user logs out from our application but leaves the browser (at least on Chrome closing a tab is not enough) open, when she tries to login again MitreID sends her directly to the approval, if necessary, or just sends back an authorization code right away. I believe this is caused by the browser sending the JSESSIONID which MitreID uses to keep track of its sessions. This is extremely concerning for us. We understand that the general case may be a bit tricky but we need to be able to handle the simple case (one app with one session) first.
Regards,
Luiz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20170327/ade6442b/attachment.html
More information about the mitreid-connect
mailing list