How to FOSOAuthServerBundle "Logout" or, better, Revoke Token

Question

I am using Symfony2.0 and FOSOAuthServerBundle, which implements OAuth2, for managing my APPs clients access to my PHP server.

Everything works perfectly, any token generation, refreshing, etc, etc...

One of the gotten effects is that anytime I enter the APP, I don't need to re-enter my credentials, as the token is still valid or, else, I refresh it using the proper API method.

Typical behavior and all perfect so far.

Now I need to develop a "Logout" button in my APP in order to invalidate that user's token and avoid the use of any refresh_token for him. Sort of revoke his token and/or credentials. In other words, really simulate a Logging Out from the server causing the user to re-enter his credentials next time he gets into the APP.

What OAuth2 sets up for this? Is it a standard behavior with its own API method? Or should I override any behavior in order to getting it?

Answer 1

In case someone's stuck on same thing, I had similar questions, but it turned out to be a conceptual mistake. Perhaps this may help you: https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/236

Answer 2

By definition, oAuth2 is STATELESS, so, it does not make sense loging out from an oauth server. To do that, just, destroy the access Token in client side app (We suppose here that you have the control of the app).

But, when a third-party app is connected to your server, you can force the logout mechanism by removing all access tokens that was given by your server to that user of client application. So, when app wants to use one of the destroyed tokens, it will get a 401 HTTP RESPONSE (The access token provided is invalid). Note that if the application has saved the user password in its local storage, it can login automatically to your server without asking the user to enter its password. so, destroying Access Tokens in server side is not a sure method.