Session management usage
13.3.2.5. AS-centric AS - session management usage

Use Case Scenario

This scenario does not try to demonstrate a real-world scenario. It just demonstrates some of the capabilities of the session management functionality.

In this example, the following sequence of steps will be used.:

  • 1.
    Client retrieves current session.
  • 2.
    Client retrieves all sessions.
  • 3.
    Client logs out a specific session, but not the current one.
  • 4.
    Client retrieves all sessions - logged out session is not longer on the list.

Step 1: Client retrieves current session

To retrieve the current session, the client must supply a valid access token as a bearer token.

Get Current Session Request

GET https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/session/
 Authorization: Bearer eyJraWQ...RNLJs9_3-Vw

In response, the authorization server will respond with the attributes of the current session.

Get Current Session Response

200 OK
 {
     "meta": {
         "type": "jsonapi.metadata.document",
         "timestamp": "2020-09-07T14:07:54.086Z"
     },
     "data": {
         "type": "oauth2-session",
         "id": "kQBhsGhsBfrhUx8t8jBKLfobSZyK4bDA6wTddCRc",
         "attributes": {
         "customAttributes": {},
         "clientId": "oidc-client",
         "consentTimestamp": "2020-09-07T13:43:54.139Z",
         "authenticationTimestamp": "2020-09-07T13:43:22.890Z"
             }
     }
} 

Step 2: Client retrieves all sessions

To retrieve all sessions, the client must supply a valid access token as a bearer token.

Get ALL Sessions Request

GET https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/sessions/
 Authorization: Bearer eyJraWQ...RNLJs9_3-Vw

The above requests use the "sessions" endpoint instead of the "session" endpoint from the request in step 1.

In response, the authorization server will respond with the attributes of all sessions associated with this user.

Get ALL Sessions Response

200 OK
 {
     "meta": {
         "type": "jsonapi.metadata.document", 
        "timestamp": "2020-09-07T14:01:36.958Z"
     },
     "data": [
         {
             "type": "oauth2-session",
             "id": "qk2aBBxYXVsQFUEiM7ts95Sq9sm8DkqyNzoxeypt",
             "attributes": {
                 "customAttributes": {},
                 "clientId": "oidc-client",
                 "consentTimestamp": "2020-09-07T12:00:12.086Z",
                 "authenticationTimestamp": "2020-09-07T11:59:46.759Z"
         }
     },
             {
             "type": "oauth2-session",
             "id": "2zfpD9SkBQ6ZmSVx6pyfrqPKew2obTYG8wfeFSXz",
             "attributes": {
                "customAttributes": {},
                  "clientId": "oidc-client",
                  "consentTimestamp": "2020-09-07T07:01:32.693Z",
                 "authenticationTimestamp": "2020-09-07T06:59:54.445Z"
            }
         },
             {
            "type": "oauth2-session",
              "id": "uTAGooeGbRPuMDY7knTdnBKdmaF9n4th3DboL91T",
             "attributes": {
                 "customAttributes": {},
                 "clientId": "0a6b3f94-f872-4399-850c-072cd58ee7e9",
                 "consentTimestamp": "2020-09-07T08:59:32.066Z",
                 "authenticationTimestamp": "2020-09-07T08:50:00.686Z"
             }
     },
            {
              "type": "oauth2-session",
             "id": "kQBhsGhsBfrhUx8t8jBKLfobSZyK4bDA6wTddCRc",
             "attributes": {
                 "customAttributes": {},
                 "clientId": "oidc-client",
                 "consentTimestamp": "2020-09-07T13:43:54.139Z",
                 "authenticationTimestamp": "2020-09-07T13:43:22.890Z"
            }
        }  
    ]
  }

Step 3: Logout a specific session

To retreive the current session, the client must supply a valid access token as a bearer token.

Get Current Session Request

DELETE https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/sessions/qk2aBBxYXVsQFUEiM7ts95Sq9sm8DkqyNzoxeypt/
 
 Authorization: Bearer eyJraWQ...RNLJs9_3-Vw

In response the authorization server will respond with the attributes of the current session.

Get Current Session Response

204 OK

Step 4: Client retrieves all sessions

Step 4 is identical to step 2 but it will only return 3 results. The session deleted in step 3 is no longer returned.