I see since the last time that I looked that users can have more than one auth token. Is this effectively one token per device/browser combination or is it something else?
Also is it possible to sent this auth token to the SSO service? This would facilitate login out of the central authority triggering a log out of discourse in the device/browser that logged out.
One token per browser is it. Since the server has no clue what the token is (it only stores a hash) it can no longer share tokens between browsers.
There is no endpoint for logging out a particular token at the moment, only for logging out the entire user. I am totally open to add an admin route that allow an admin to delete an auth token, effectively giving you the ability to log off a single browser.
That may be what I I am looking for. The big question is does discourse token set as part of the SSO process. It has been 6 months since I had to look at that code.
Here is what I would be trying for:
User logs in via SSO which in my case is an app (cas_sso) that sits between CAS and Discourse.
cas_sso stashes the cas token used to allow cas logout* and now caches the token from discourse
cas logout get sent to cas_sso when the cas session expires
cas_sso now has both the cas token and the discourse token that are linked and can use that information to log out that particular discourse session.
Currently I just drop the logout request on the floor.
(Cas logout is when your CAS session on the CAS server expires and the CAS server sends logout requests to every thing that logged in to that session.)