Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-6471

Add UI log-out support when using httpOnly JWT tokens

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: OpenIDM 4.0.0, OpenIDM 4.5.0
    • Fix Version/s: OpenIDM 5.0.0
    • Component/s: Module - Web UI
    • Labels:

      Description

      When clicking the 'logout' button within the UI, the following code is executed:

              cookieHelper.deleteCookie("session-jwt", "/", ""); // resets the session cookie to discard old session that may still exist
      

      When the JWT Token is set to 'httpOnly', it cannot be modified and therefore cannot be deleted - this stops the user being able to log out of the UI.

      Reproduction:

      • Fresh OpenIDM 4/4.5.0, instance
      • Modify the JWT Session Module within 'authentication.json' to include ' "isHttpOnly" : true'
      • Start OpenIDM and log in to Self Service or Admin Console as openidm-admin
      • Try to log-out

        Attachments

          Activity

            People

            • Assignee:
              jake.feasel Jake Feasel
              Reporter:
              tom.wood Tom Wood
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: