Terminate Active User Sessions on User Role Change Events through the WSO2 Identity Sever
The WSO2 Identity Server serves many purposes as you have seen in its docs. Yet, there are edge cases that require customization. This blog guides you how on how you can terminate active user sessions on user role change events. As a solution for the scenario above, I have written a small extension that captures role change events and terminates the user/s active session/s.
First, let’s take a quick peek at the design of this extension based on the diagram below. It shows a high-level flow design of the extension while the descriptions shed light on each step.
You can find the source code for the above at GitHub, and if you want to know about backchannel log out, please refer to this Medium article. The diagram is quite self-explanatory hence, I’ll move onto the sophisticated part which is to configure the extension and execute a sample scenario.
Configuring the Extension
- Download the Identity Server from the official site. Hereafter the location of the Identity Server will be referred to as
Setting Up the Extension
- Clone the project by executing the command
git clone https://github.com/deshankoswatte/identity-event-handler-session-termination.git.
- Open and build the project by executing the command
mvn clean install.
- After successfully building the project, copy the artifacts,
com.wso2.common-1.0.0-SNAPSHOT.jarand paste them inside the
Setting Up the Identity Server
- Open the
deployment.tomlfile located at
<IS_HOME>/repository/conf/and append the following lines to register the event handler, and its subscriptions.
- Start the WSO2 Identity Server by executing the command
sh wso2server.shin the
- Navigate to the Management Console by accessing the link
https://localhost:9443/carbon/admin/login.jspand log in by providing the admin credentials.
- Create a few roles and role-assigned users by following the guide in the official documentation.
- Create the service providers for pickup-dispatch and pickup-manager with the help of the Medium article.
Try out the Scenario
- Login to the pickup-dispatch and pickup-manager with a role specified user using Single Sign-On.
- Go to the Management Console and remove the role from that specific user.
- You can see that the pickup-dispatch and pickup-manager application will get logged out using backchannel log out.
This extension can also be used with other events by accompanying minor changes to source code.
Thank you Guys! I’ll see you in another blog.