Regarding the request to the authorization endpoint after the token is revoked, following are observed.
After a user was authenticated by the OpenID Connect (OIDC) Provider server side, the token was revoked explicitly.
Then the user made a request to the authorization endpoint again, the user did not get re-challenged by the OIDC Provider server.
It seems to be due to that a valid SMSESSION exists and is validated.
(1) Is this behavior as designed and expected ?
(2) If so, is it necessary to use the below option parameter for the user to be re-challenged ?
As per the docops of Authorization endpoint, the ‘prompt’ parameter exists as an option in the request parameter. By specifying ‘login’ as the value, the above behavior is avoided so that the user will be authenticated again.
Authentication Using Authorization Code Flow / Authorization Endpoint
(Optional) Specifies whether Authorization Server must prompt the client for reauthentication and consent. Enter space delimited, case-sensitive ASCII string values. The following values are supported:
login = Specifies that Authorization Server prompts the client for reauthentication. It returns an error if the reauthentication fails.
Release : 12.8.03
Component : CA Access Gateway