Package net.ltgt.oidc.servlet

Interface LoggedOutSessionStore

All Known Implementing Classes:
InMemoryLoggedOutSessionStore
public interface LoggedOutSessionStore
Tracks SessionID values of sessions logged out with the OpenID Connect Back-Channel Logout protocol through the BackchannelLogoutServlet.

Those sessions will be invalidated by the UserFilter when a corresponding HttpSession is being used. The BackchannelLogoutSessionListener is responsible for notifying this store of the SessionID that are being used by sessions.

Implementations could also directly invalidate the session if possible, rather than only somehow marking it as logged out to later be invalidated by the UserFilter. In this case, the BackchannelLogoutSessionListener might not be necessary depending on the implementation.

See Also:

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    CONTEXT_ATTRIBUTE_NAME
     

  • Method Summary

    Modifier and Type
    Method
    Description
    default void
    acquire(SessionID sessionID, String sessionId)
    Associates the OpenID Provider session ID with a new application's HTTP session.
    default boolean
    isLoggedOut(SessionID sessionID)
    Returns whether the given session ID has been logged out.
    void
    logout(SessionID sessionID)
    Records the given session ID as having been logged out at the OpenID Provider.
    default void
    release(SessionID sessionID, String sessionId)
    Dissociates the OpenID Provider session ID from an application's HTTP session.
    default void
    renew(SessionID sessionID, String oldSessionId, String newSessionId)
    Notifies the store that the application's HTTP session, associated with a given OpenID Provider session ID, has changed ID.

  • Field Details

    • CONTEXT_ATTRIBUTE_NAME

      static final String CONTEXT_ATTRIBUTE_NAME

  • Method Details

    • logout

      void logout(SessionID sessionID)
      Records the given session ID as having been logged out at the OpenID Provider.

      Implementations could also directly invalidate the session if possible, rather than only marking it as logged out to later be invalidated by the UserFilter. In this case, the BackchannelLogoutSessionListener might not be necessary depending on the implementation.

      See Also:

    • isLoggedOut

      default boolean isLoggedOut(SessionID sessionID)
      Returns whether the given session ID has been logged out.

      Called by UserFilter to possibly invalidate sessions as they're being tentatively used.

      See Also:

    • acquire

      default void acquire(SessionID sessionID, String sessionId)
      Associates the OpenID Provider session ID with a new application's HTTP session.
      See Also:

    • release

      default void release(SessionID sessionID, String sessionId)
      Dissociates the OpenID Provider session ID from an application's HTTP session.
      See Also:

    • renew

      default void renew(SessionID sessionID, String oldSessionId, String newSessionId)
      Notifies the store that the application's HTTP session, associated with a given OpenID Provider session ID, has changed ID.