I am running a decoupled system, where I have a NodeJS front-end server with Drupal 10 running in the back-end. The Node server is communicating with Drupal with REST APIs. Some of these APIs are authenticated using the Authorization Code Grant. The Node client redirects the user to the authorization server, where the user can validate credentials. Everything works, and I get the authorization code which the client can exchange for an access token. The issue is when the user validates their credentials with the authorization server, a session cookie gets created by Drupal, which is unnecessary since API endpoints are authenticated with OAuth2. Once the user logs out on the front-end, that Drupal session cookie needs to be deleted somehow, but since the user was logged in with OAuth2, the logout token necessary to destroy the session cookie is unknown to the node server.
Similar to the issue and solution with the OAuth2 Server module here → , I propose a setting where we can disable session creation when a user validates their credentials with the OAuth server, and thus, no session cookie needs to be destroyed when the user logs out from a front-end.
This is my first time creating an issue, so let me know if there is any information missing, or if I raised the issue in an incorrect manner. Also let me know if there is a solution or workaround to this potential issue that would make it a non-issue.
Needs review
5.2
Miscellaneous
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.