Token Revocation
Composable storefront requests the revocation of the user authentication token when a user signs out of the storefront, terminating the OCC session.
When a user signs out of the storefront, composable storefront requests the revocation of the user authentication token so that the OCC session is terminated. This is a security improvement.
Token revocation works as follows:
-
When a customer signs out of the storefront, a token revocation request is sent.
-
When an ASM customer support agent signs out, a token revocation request is sent.
-
When a customer who is emulated with ASM signs out, a token revocation is not sent. The customer support agent's token is used in emulation sessions, so composable storefront only revokes the token when the agent signs out.
If the token revocation request fails, composable storefront fails silently, because there is no action it can make to recover. For example, requesting the revocation of an already-expired token results in an HTTP 401 response. Even if the server sends an error response, composable storefront will fail silently.
Requirements
For the front end, you need version 1.4 or newer of the composable storefront libraries.
For the back end, token revocation is available with version 1905.6 or newer of SAP Commerce Cloud.
Composable storefront 1.4 can still be used with a SAP Commerce Cloud back end that is older than 1905.6, but in the front end, token revocation will fail silently if the back end does not support it.
Under the hood, a back end that does not support token revocation returns an HTTP 302 redirect response if it receives a token revocation request. If a request is sent to an authorization-related endpoint that does not exist, the back end returns a 302 redirect code that points to the login.jsp page.
Enabling Token Revocation
Token revocation is automatically enabled in composable storefront version 1.4 or newer. It cannot be disabled.
Configuring
No additional configuration is required.
Extending
No special extensibility is available for this feature.