topic Re: calling destroyCredentials on identityManager does not invalidate oauth token in ArcGIS JavaScript Maps SDK Questions

calling destroyCredentials on identityManager does not invalidate oauth token

omar-marji — Tue, 11 Apr 2023 10:32:26 GMT

In our app, we are using the oauth2 flow to authenticate users using the identity manager's registerOAuthInfos() and getCredential() methods.

Once the user signs out, we are calling the destroyCredentials() method.

But if we use the existing token after destroyCredentials() is called to call any rest endpoint, it appears that the token is still valid and was not revoked.

We also tried to use the REST JS API to create an identity manager using ArcGISIdentityManager.fromCredential() method (supplying the information from the Maps SDK for JS identity manager) then calling the signout() method on it. But still it results in the same behavior.

We even tried to manually call the /revokeToken (https://developers.arcgis.com/rest/users-groups-and-items/revoke-token.htm) rest end point, which also does nothing.

Is there a way to revoke the user's tokens after logout?

Re: calling destroyCredentials on identityManager does not invalidate oauth token

ViktorSafar — Mon, 17 Apr 2023 09:51:55 GMT

This was in the context of a WAB widget but I too had problems with signing out, and ended up doing this:

var oReq = new XMLHttpRequest(); oReq.open("get", `${IdentityManager.oAuthInfos[0].portalUrl}/sharing/rest/oauth2/signout`, false); oReq.setRequestHeader('Content-Type', 'text/xml'); oReq.send();

which should take care of the server side.

And then all this to get the client to destroy all the things

Re: calling destroyCredentials on identityManager does not invalidate oauth token

omar-marji — Tue, 25 Apr 2023 06:45:32 GMT

Thank you for your reply. Unfortunately you solution did not do the trick for me.