0

I cannot find any information about this issue anywhere online, so I'm going to put it here!

I'm using a frontend application which redirects to a custom auth_views.LoginView on the backend (django-oauth-toolkit) with the client_id, etc. I have all of this working. (I'm using implicit grant, btw).

The problem is when the user logs out, I use /o/revoke_token, which successfully removes the token from the db. However, when the user will turn around and log back in, it never prompts them for their username/password again. The auth_views.LoginView will give a 302 and redirect back to the frontend with a valid api_key.

How can I prevent this? I want to prompt the user EVERY TIME they hit that page for their username/password. This way, they can log out and log back in with a different user, if necessary.

Josh Newlin
  • 108
  • 2
  • 11

2 Answers2

1

I had the same problem, and if I'm not mistaken, it's because you need to actually logout too.

At the moment, your user is still logged in, so the client will ask for a new token, your auth server will check whether the user is properly logged in, will find out that yes, and just provide a new token instead of redirecting.

ZaX
  • 193
  • 1
  • 12
  • Yes, I ended up having to go ahead and redirect the user to the logout endpoint to kill the browser session. This did it! Thanks – Josh Newlin Apr 26 '19 at 19:06
0

EDIT: This isn't a good solution. Look at the other answer provided by ZaX.

To follow up on this, I ended up fixing it by just setting the SESSION_COOKIE_AGE to a small number, 3, to allow login, but not keep the users session alive. This will force them to re-enter their username/password, but it's not necessary to have a session to request from the backend as long as you have an access token.

Josh Newlin
  • 108
  • 2
  • 11