Revoke Rest-Api Authorization

mpedrotti · April 4, 2023, 5:14pm

Could someone get me an example of how to revoke an authorization and authentication performed using the Rest-Api,
precisely to not keep the sessions open.

gorbunkov · April 6, 2023, 1:34pm

Hi,

Do you mean access token revocation? Is so, then there is the /oauth/revoke endpoint for that (see Swagger).

mpedrotti · April 13, 2023, 1:31am

hello,

trying to use /oauth/revoke
in tomcat, the sessions remain, in Cuba when calling this API, they were released.

a test I did, with the application generated in CUBA,
1 - starts an API session;
2 - for each API authentication call, a session record is created, that is, it lists all user sessions;
3 - when revoking one of the sessions, it leaves the user’s session list;

curl --request POST \
  --url http://localhost:8080/app/rest/v2/oauth/revoke \
  --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data token=2_0Ga0vT6-AHlMzZdiFYy4gKKgg

but when running the same test with Jmix,
when executing step 3, that is, revoking the session, with the command below, the token loses access,
but the user’s session remains open, and the same happens in Tomcat, not reducing the open sessions.

curl --request POST \
  --url http://localhost:8080/oauth/revoke \
  --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data token=-qEnpe1pLFV2HAu8pY_2_sj_PBs

here comes my question, is this behavior expected in JMix?
When revoking a token, shouldn’t you remove sessions, both in Tomcat and in JMix?

gorbunkov · April 21, 2023, 2:36pm

Hi,

Where do you see a list of opened sessions in Jmix after you get an access token?

mpedrotti · April 24, 2023, 1:22pm

in the app, the menu option, user sessions,

in the attached sequence of screens, I am following the app, tomcat, and insomnia, to show the sequences carried out, where it is a controlled environment, that is, without external users.

in Cuba, when revoking, sessions, both in the app and in Tomcat, exit.

in jmix they are staying there, but no longer available for use, in my opinion, consuming resources unnecessarily.

could you help me where i am going wrong?

sessao.7z (419.7 KB)

gorbunkov · May 3, 2023, 11:30am

Which Tomcat version do you use? It seems that on the latest 9.0.74 this issue doesn’t appear.