MobileFirst OAuth and Logout

前端 未结 1 581
野趣味
野趣味 2021-01-07 12:04

I have a test application that accesses two Adapters:

  1. A JavaScript adapter protected by a SecurityTest referencing a realm
  2. A Java adapter with a metho
相关标签:
1条回答
  • 2021-01-07 12:45

    With OAuth, logout 'works' differently. See the following user documentation topic (search for "logout"): http://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_security_model.html?lang=en

    The login/logout API:
    The WLClient login/logout API enables a user to log in to and log out of a specific realm, by updating the server side security state. However, in the new OAuth-based security model, security credentials are also kept in the access token on the client side. The result is that using this API will cause an inconsistent state, for example, in which the client is logged out of a realm on the server side but still holds a valid token for that realm on the client side. To solve this inconsistency, it is recommended to re-obtain the access token, by using the obtainAuthorizationHeaderForScope method, after successful login or logout.

    For example, consider a client that passed the security checks for Realm1 and Realm2, and later calls logout(Realm2). In this case, the access token on the client would still contain the security credentials for both Realm1 and Realm2, and the client could use this token to access protected resources. To refresh the token, that is, to obtain a token for Realm1 only, the client calls obtainAuthorizationHeaderForScope without the logged out realm Realm2.

    In JavaScript the equivalent call is:

     WLAuthorizationManager.obtainAuthorizationHeader("SomeRealm")
    
    0 讨论(0)
提交回复
热议问题