Securing API using openidc and oauth2

I am developing a platform for our company and the it’s just the beginning of a suite of applications. Since there will be users using one or more of the applications, we thought it would be a good idea to have single sign on. So I began looking into the various options we had and very quickly came across IdPs and protocols such as Oauth2 and Openid-connect. We decided to build an API for the service and now I’m stuck at implementing authentication and authorization properly. What I have done thus far is create public clients, which means they don’t have a client_secret and using the password grant_type so they can login and get an access token. However, my API also needs to know if a user is logged in so as to protect access to some resources and what I have now is a system where I cannot hit the introspection endpoint to ask my auth server if the user with a given access_token is logged in (the introspect endpoint is not allowed for public clients). What I can do however, is look at the JWT (access_token) and extract user information. This isn’t very good because what if the user had already logged out? what if someone else got a hold of this token, even if it has been invalidated by the auth server?

Hey there @vino-jasuba, I apologize for the delay in response.

After checking with our senior team member, I was able to confirm when you logout it should be able to remove the local storage along with the JWT. We are unable to revoke tokens directly but we would recommend leveraging short lived tokens in that same desired nature. We would also recommend migrating to the Code Grant flow with PKCE as well.

Due to the age of this topic I will continue to keep it open for another ten days unless I hear otherwise from you. Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.