I am using the node-oidc-library to create an oauth authorization server.
Everything seems to be working fine, except for logging out the user.
The documentation is a bit silent on how to log out a user, but I think it is hidden in the FAQ where it is explained how to show whether or not the user is logged in.
When a user clicks the logout link on the authorization server, I destroy the session:
const oidcContext = provider.app.createContext(req, res);
const session = await provider.Session.get(oidcContext);
await session.destroy();
This seems to work, however, it has the side-effect of also removing any grants the user has given.
So next time the user logs on, he has to go through the consent screen again.
My question: is there any way to log out the user, but without the need for him to go through the consent screens a second time when he logs back on.
After further investigation, it turns out that the grant id is stored in the session. So when the session disappears, the link to the grant disappears and the user is asked his consent again on next login.
There is a workaround: use the loadExistingGrant method. There is a recipe explaining this function.
This function can be used to get the user and client from the session and load the grant, thus skipping the consent screen.