-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revisit the concept of User Sessions #265
Comments
Updated title and description. @johanstokking @kschiffer comments please. |
I think it's good to work towards a screen like that, but I see a complicated solution for a simple problem. That is, if you logout in an OAuth client (i.e. CLI or Console), and you log back in, the OAuth server logs you in automatically, so you don't have a chance to switch accounts. Right? Isn't that fixed by the switcher in #488 ? |
I agree that having the OAuth client logout actually go to the OAuth server is a shortterm and effective solution. |
So what do we decide here? |
I think we should do (in order)
|
OK sounds good. |
So this would be a simple page with a logout button?
I often see a message like these on authorization pages: "You are currently logged in as USER_NAME" and then a link to switch the account. The problem for the console being that we skip the authorize screen altogether, so we can indeed only solve it by adding an additional screen. |
|
Replaced by #1422. |
Summary:
We need to discuss what to do about the concept of user sessions.
Why do we need this?
There is to much confusion about user sessions, logins, logouts, etc.
What is already there? What do you see now?
In addition to the OAuth server, all OAuth clients (CLI's and consoles) also have their own login/logout. Logins to an OAuth client result in an OAuth authorization (if not already authorized), as well as an OAuth access token and typically an OAuth refresh token (hereafter simply OAuth tokens). Logouts from the OAuth client result in a revocation of the OAuth token of the current session of the current user on the current client.
Logouts from a user on an OAuth client do not revoke other OAuth tokens of the same user on the same OAuth client. This means that if I am logged in with the Console on two different laptops, and I logout on one laptop, I'm still logged in on the other laptop. This makes complete sense to me. If Airmail on my MacBook and on my iMac are both logged in with my Google account, and I logout of one, then the other is still logged in.
Logouts from a user on an OAuth client do not revoke other OAuth tokens of the same user on a different OAuth client. This means that if I am logged in with the Console and CLI, and logout from the console, I'm still logged in with the CLI. This also makes complete sense to me. If Airmail and Contacts on my MacBook are both logged in with my Google account, and I logout of one, then the other is still logged in.
Logouts from an OAuth client do not revoke the user's session on the OAuth server. This means that if I am logged in with the CLI, and then logout, I may still be logged in on the Identity Server. Again makes sense. If I logout of my Airmail, my browser is still logged in to google.com.
And finally, logouts from the OAuth server do not revoke OAuth tokens. This makes complete sense with the Google example. If I logout from google.com, my email doesn't suddenly stop working. So this should be the same for our OAuth server. If I logout from the Identity Server, my Console sessions in my 3 browsers shouldn't be affected, right? And the ones on my iMac? Oh but wait, I'm still logged in to the OAuth server on my iMac! This is how people lose their minds.
Oh and things will get even worse when we'll have a multi-region Identity Server 😏
Enough?
What is missing? What do you want to see?
I think we should extend the UI of the Identity Server with a page
/account
that looks like this:This will allow users to manage their sessions (direct logins to the OAuth server / Identity Server), manage client authorizations and allow them to revoke OAuth tokens.
I think all logouts should (after doing the usual revocation of OAuth tokens) redirect the user to that account page on the Identity Server where they can decide what to do about other sessions and OAuth client authorizations. We could even build something that allows us to filter OAuth client authorizations and OAuth tokens by the session that created them.
The text was updated successfully, but these errors were encountered: