Question regarding revoking tokens

[jdclawson]

I am building a streamlit app and the authentication now works perfectly, using a modified version of this package https://github.com/hunkim/streamlit-google-oauth. I switched it to use the OpenID client instead of Google.

So here's the question: Wouldn't revoking the token be all that is required in order to have someone need to re-enter their credentials after they log out? Because after the initial authentication, when I hit "logout", I can log right back in without needing to re-enter credentials again and when I check the developer tools not much seems to be happening.

I'm unsure if I'm barking up the wrong tree, but I'd appreciate any insight you could offer.

[frankie567]

httpx-oauth is only there to make the requests to the API and retrieve the tokens. How they are stored and cleared will depend on the library using it.

That said, when you say "without needing to re-enter credentials again"; do you still see the redirection to the OpenID service? Sometimes, identity providers keep a session on their side so the OAuth request is automatically granted and you are redirected directly without any prompt.

If it's the case, you can force to show the login window by passing the prompt=login query parameter to your authorize URL. It's part of the OpenID specification, so if your identity provider supports it, you should always see the login page. With httpx-oauth, it'll look like this:

authorization_url = await client.get_authorization_url(
    "https://www.tintagel.bt/oauth-callback",
    scope=["SCOPE1", "SCOPE2", "SCOPE3"],
    extras_params={"prompt": "login"}
)