Open Closed

Log out triggered by refreshing site does not trigger OIDC log out #6979


0
larsfk created

Hi!

When the session is timed out I redirect the user to my OIDC logout endpoint, but when the session is timed out and I refresh the site, the application logs out, but not redirected through OIDC endpoint. This means that im logged out of the application, but not from my OIDC login providers. Why and how is the logout proccess different from clicking in the application and refreshing the site?

Thanks :)


11 Answer(s)
  • 0
    larsfk created

    The logout comes after error (locally) in line 36 in Web.Core.JwtSecurityTokenHandler ValidateToken:

                var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);
    

    So maybe there is a ErrorManager which triggers another way to log out?

  • 0
    ismcagdas created

    Hi @larsfk

    When the session is timed out I redirect the user to my OIDC logout endpoint

    Could you share how you do that ?

  • 0
    larsfk created

    By overriding handleAbpResponse. But when session is out and you "refresh" the page, this is not triggered...

                       let abpHttpConfiguration = injector.get(
                            AbpHttpConfiguration
                        );
                        abpHttpConfiguration.handleAbpResponse = function(
                            response: HttpResponse<any>,
                            ajaxResponse: IAjaxResponse
                        ): HttpResponse<any> {
                            let newResponse: HttpResponse<any>;
    
                            if (ajaxResponse.success) {
                                newResponse = response.clone({
                                    body: ajaxResponse.result
                                });
    
                                if (ajaxResponse.targetUrl) {
                                    this.handleTargetUrl(ajaxResponse.targetUrl);
                                }
                            } else {
                                newResponse = response.clone({
                                    body: ajaxResponse.result
                                });
    
                                if (!ajaxResponse.error) {
                                    ajaxResponse.error = this.defaultError;
                                }
    
                                this.logError(ajaxResponse.error);
                                //this.showError(ajaxResponse.error);
    
                                if (
                                    response.status === 401 ||
                                    response.body.unAuthorizedRequest === true
                                ) {
                                    // Logging out
                                    abp.auth.clearToken();
                                    abp.utils.setCookieValue(
                                        "enc_auth_token",
                                        undefined
                                    );
                                    let iss = JSON.parse(
                                        sessionStorage.getItem(
                                            "id_token_claims_obj"
                                        )
                                    ).iss;
                                    let idTokenHint = sessionStorage.getItem(
                                        "id_token"
                                    );
                                    // This message should come from Mentorapplication-nb.xml in backend
                                    ajaxResponse.error.message =
                                        "Din sesjon er utgått og vil derfor bli logget ut.";
                                    this.showError(ajaxResponse.error).then(() => {
                                        location.href =
                                            iss +
                                            "endsession?id_token_hint=" +
                                            idTokenHint +
                                            "&post_logout_redirect_uri=" +
                                            AppConsts.appBaseUrl;
                                    });
                                }
                            }
    
                            return newResponse;
                        };
    
  • 0
    larsfk created

    So my main question is what method in abpHttpConfiguration needs to be overrided to trigger custome logout when refreshing a site when session is out?

  • 0
    ismcagdas created

    Hi @larsfk

    When you refresh the page, root module is always executed, so why don't you handle it there ?

  • 0
    larsfk created

    I tried with the following code inside "handleLogoutRequest", but did not work:

        if (abp.session.userId === undefined && currentUrl.indexOf('account/login') < 0) {
                authService.logout(true)
    

    Any tips on how to best implement it?

  • 0
    ismcagdas created

    What are the values for abp.session.userId and currentUrl in your case ?

  • 0
    larsfk created

    abp.session.userId is undefined and currentUrl depents, but usally "/app/main/something" or "/admin/something".

    But userId is undefined when you first login aswell... Maybe it works if I add it like this:

     if (abp.session.userId === undefined && (currentUrl.indexOf('account/login') < 0) && currentUrl.indexOf('/') < 0) {
                authService.logout(true)
     }
    
  • 0
    ismcagdas created

    Yes, it seems like it is hard to do this. Is that worked for you ?

  • 0
    larsfk created

    Does not seem to work... Hmmmm...

  • 0
    ismcagdas created

    Hi @larsfk

    Not a solution to your problem but, I haven't seen such a logout flow for most of the external login providres. For example, if you login to an app via Facebook and then if you logout, it will not log you out from Facebook.

    That is why we haven't implemented it for external login providers.

    So, for your final usage, does the below line executes ?

    authService.logout(true)