Session management usage
Use Case Scenario
This scenario does not try to demonstrate a real-world scenario. It just demonstrates some of the capabilities of the session management functionality.
In this example, the following sequence of steps will be used:
- Client retrieves current session.
- Client retrieves all sessions.
- Client logs out a specific session, but not the current one.
- Client retrieves all sessions – logged-out session is not longer on the list.
Step 1 – Client retrieves current session
To retrieve the current session, the client must supply a valid access token as a bearer token:
Get Current Session Request
GET https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/session/ Authorization: Bearer eyJraWQ...RNLJs9_3-Vw
In response, the authorization server will respond with the attributes of the current session:
Get Current Session Response
200 OK
{
"meta": {
"type": "jsonapi.metadata.document",
"timestamp": "2020-09-07T14:07:54.086Z"
},
"data": {
"type": "oauth2-session",
"id": "kQBhsGhsBfrhUx8t8jBKLfobSZyK4bDA6wTddCRc",
"attributes": {
"customAttributes": {},
"clientId": "oidc-client",
"consentTimestamp": "2020-09-07T13:43:54.139Z",
"authenticationTimestamp": "2020-09-07T13:43:22.890Z"
}
}
} Step 2 – Client retrieves all sessions
To retrieve all sessions, the client must supply a valid access token as a bearer token:
Get ALL Sessions Request
GET https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/sessions/ Authorization: Bearer eyJraWQ...RNLJs9_3-Vw
The above requests use the sessions endpoint instead of the session endpoint from the request in Step 1.
The authorization server will respond with the attributes of all sessions associated with this user:
Get ALL Sessions Response
200 OK
{
"meta": {
"type": "jsonapi.metadata.document",
"timestamp": "2020-09-07T14:01:36.958Z"
},
"data": [
{
"type": "oauth2-session",
"id": "qk2aBBxYXVsQFUEiM7ts95Sq9sm8DkqyNzoxeypt",
"attributes": {
"customAttributes": {},
"clientId": "oidc-client",
"consentTimestamp": "2020-09-07T12:00:12.086Z",
"authenticationTimestamp": "2020-09-07T11:59:46.759Z"
}
},
{
"type": "oauth2-session",
"id": "2zfpD9SkBQ6ZmSVx6pyfrqPKew2obTYG8wfeFSXz",
"attributes": {
"customAttributes": {},
"clientId": "oidc-client",
"consentTimestamp": "2020-09-07T07:01:32.693Z",
"authenticationTimestamp": "2020-09-07T06:59:54.445Z"
}
},
{
"type": "oauth2-session",
"id": "uTAGooeGbRPuMDY7knTdnBKdmaF9n4th3DboL91T",
"attributes": {
"customAttributes": {},
"clientId": "0a6b3f94-f872-4399-850c-072cd58ee7e9",
"consentTimestamp": "2020-09-07T08:59:32.066Z",
"authenticationTimestamp": "2020-09-07T08:50:00.686Z"
}
},
{
"type": "oauth2-session",
"id": "kQBhsGhsBfrhUx8t8jBKLfobSZyK4bDA6wTddCRc",
"attributes": {
"customAttributes": {},
"clientId": "oidc-client",
"consentTimestamp": "2020-09-07T13:43:54.139Z",
"authenticationTimestamp": "2020-09-07T13:43:22.890Z"
}
}
]
}Step 3 – Log out a specific session
To log out (terminate) a specific session, the client must provide the session's ID. The request must also include a valid access token as a bearer token.
Terminate Specific Session Request
DELETE https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/sessions/qk2aBBxYXVsQFUEiM7ts95Sq9sm8DkqyNzoxeypt/ Authorization: Bearer eyJraWQ...RNLJs9_3-Vw
The authorization server will respond with HTTP status code 204 No Content, which means that the session is terminated.
Terminate Specific Session Response
204 No Content
Step 4 – Client retrieves all sessions
Step 4 is identical to Step 2 but will only return 3 results. The session deleted in Step 3 is no longer returned.