Hi!
When the session is timed out I redirect the user to my OIDC logout endpoint, but when the session is timed out and I refresh the site, the application logs out, but not redirected through OIDC endpoint. This means that im logged out of the application, but not from my OIDC login providers. Why and how is the logout proccess different from clicking in the application and refreshing the site?
Thanks :)
11 Answer(s)
-
0
The logout comes after error (locally) in line 36 in Web.Core.JwtSecurityTokenHandler ValidateToken:
var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);So maybe there is a ErrorManager which triggers another way to log out?
-
0
Hi @larsfk
When the session is timed out I redirect the user to my OIDC logout endpoint
Could you share how you do that ?
-
0
By overriding handleAbpResponse. But when session is out and you "refresh" the page, this is not triggered...
let abpHttpConfiguration = injector.get( AbpHttpConfiguration ); abpHttpConfiguration.handleAbpResponse = function( response: HttpResponse<any>, ajaxResponse: IAjaxResponse ): HttpResponse<any> { let newResponse: HttpResponse<any>; if (ajaxResponse.success) { newResponse = response.clone({ body: ajaxResponse.result }); if (ajaxResponse.targetUrl) { this.handleTargetUrl(ajaxResponse.targetUrl); } } else { newResponse = response.clone({ body: ajaxResponse.result }); if (!ajaxResponse.error) { ajaxResponse.error = this.defaultError; } this.logError(ajaxResponse.error); //this.showError(ajaxResponse.error); if ( response.status === 401 || response.body.unAuthorizedRequest === true ) { // Logging out abp.auth.clearToken(); abp.utils.setCookieValue( "enc_auth_token", undefined ); let iss = JSON.parse( sessionStorage.getItem( "id_token_claims_obj" ) ).iss; let idTokenHint = sessionStorage.getItem( "id_token" ); // This message should come from Mentorapplication-nb.xml in backend ajaxResponse.error.message = "Din sesjon er utgått og vil derfor bli logget ut."; this.showError(ajaxResponse.error).then(() => { location.href = iss + "endsession?id_token_hint=" + idTokenHint + "&post_logout_redirect_uri=" + AppConsts.appBaseUrl; }); } } return newResponse; }; -
0
So my main question is what method in abpHttpConfiguration needs to be overrided to trigger custome logout when refreshing a site when session is out?
-
0
Hi @larsfk
When you refresh the page, root module is always executed, so why don't you handle it there ?
-
0
I tried with the following code inside "handleLogoutRequest", but did not work:
if (abp.session.userId === undefined && currentUrl.indexOf('account/login') < 0) { authService.logout(true)Any tips on how to best implement it?
-
0
What are the values for
abp.session.userIdandcurrentUrlin your case ? -
0
abp.session.userId is undefined and currentUrl depents, but usally "/app/main/something" or "/admin/something".
But userId is undefined when you first login aswell... Maybe it works if I add it like this:
if (abp.session.userId === undefined && (currentUrl.indexOf('account/login') < 0) && currentUrl.indexOf('/') < 0) { authService.logout(true) } -
0
Yes, it seems like it is hard to do this. Is that worked for you ?
-
0
Does not seem to work... Hmmmm...
-
0
Hi @larsfk
Not a solution to your problem but, I haven't seen such a logout flow for most of the external login providres. For example, if you login to an app via Facebook and then if you logout, it will not log you out from Facebook.
That is why we haven't implemented it for external login providers.
So, for your final usage, does the below line executes ?
authService.logout(true)
