Community
Select to view content in your preferred language

calling destroyCredentials on identityManager does not invalidate oauth token

432
2
04-11-2023 03:32 AM
omar-marji
by
New Contributor III
‎04-11-2023 03:32 AM

In our app, we are using the oauth2 flow to authenticate users using the identity manager's registerOAuthInfos() and getCredential() methods.

Once the user signs out, we are calling the destroyCredentials() method.

But if we use the existing token after destroyCredentials() is called to call any rest endpoint, it appears that the token is still valid and was not revoked.

 

We also tried to use the REST JS API to create an identity manager using ArcGISIdentityManager.fromCredential() method (supplying the information from the Maps SDK for JS identity manager) then calling the signout() method on it. But still it results in the same behavior.

We even tried to manually call the /revokeToken (https://developers.arcgis.com/rest/users-groups-and-items/revoke-token.htm) rest end point, which also does nothing.

 

Is there a way to revoke the user's tokens after logout?

0 Kudos
2 Replies
ViktorSafar
by
Occasional Contributor II
‎04-17-2023 02:51 AM

This was in the context of a WAB widget but I too had problems with signing out, and ended up doing this:

      var oReq = new XMLHttpRequest();
      oReq.open("get", `${IdentityManager.oAuthInfos[0].portalUrl}/sharing/rest/oauth2/signout`, false);
      oReq.setRequestHeader('Content-Type', 'text/xml');
      oReq.send();

which should take care of the server side.

And then all this to get the client to destroy all the things

  function logOut() {
    if (window.appInfo.isRunInPortal) {
      removeEsriAuthCookieStorage();
    }
    else {
      removeCookie(context, "wab_auth");
    }

    IdentityManager.destroyCredentials();    
  };

  const removeEsriAuthCookieStorage = (context) => {
    removeCookie(context, 'esri_auth');
  
    var itemName = "esriJSAPIOAuth";
    if (window.localStorage) {
      window.localStorage.removeItem(itemName);
    }
    if (window.sessionStorage) {
      window.sessionStorage.removeItem(itemName);
    }
  }

  const removeCookie = (cookieName) => {
    var path = '/';
    jimuUtils.removeCookie(cookieName, path);
  };

 

0 Kudos
omar-marji
by
New Contributor III
‎04-24-2023 11:45 PM

Thank you for your reply. Unfortunately you solution did not do the trick for me.

0 Kudos