search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
571 stars 152 forks source link

Await Logout till endSession is complete in logout #1298

Open pgangwani opened 4 months ago

pgangwani commented 4 months ago

Issue and Steps to Reproduce

In logout we have below steps

  1. revoke access token
  2. revoke refresh token
  3. endsession (idtoken)
  4. Either soft redirect / refresh the session or
  5. or redirect to oidc server logout url

As 4 or 5 are exclusive steps , I am expecting async logout to await till all promises resolve including endSession. I am thinking to get below case worked

Screenshot 2024-02-14 at 2 30 21 PM

Currently what is happening that if I am writing the window.location.href after await of logout, endSession request is cancelled. I need to redirect to logout to kill the session fully as per our oidc server. Attached below screenshot

Versions

7.18.1

Screenshots

Screenshot 2024-02-20 at 10 10 58 AM

Expected

Await(revoke(AT), revoke(RT), endSession(idToken)).then (() => custom redirect);

Actual

Await(revoke(AT), revoke(RT)).then (() => custom redirect); and endSession(idToken) is cancelled

Additional Details

PLease let me know if I am missing something

guillaume-chervet commented 4 months ago

Hi @pgangwani ,

Thank you for your issue. I think it is due to the window.open. i have understand what to fix. I may do it tommorrow morning.

pgangwani commented 4 months ago

Hi @pgangwani ,

Thank you for your issue. I think it is due to the window.open. i have understand what to fix. I may do it tommorrow morning.

Thanks, I willl be waiting

guillaume-chervet commented 4 months ago

I forgot to tell you @pgangwani that version 7.18.3 should fix the bug :)

pgangwani commented 4 months ago

I forgot to tell you @pgangwani that version 7.18.3 should fix the bug :)

I will give it a test

pgangwani commented 4 months ago

@guillaume-chervet I tested above, it is redirecting to the post_redirect_uri after logout but not to the oidc server logout page as it is happening in https://black-rock-0dc6b0d03.1.azurestaticapps.net/. Is there a setting in oidc to goto loggedout page ? I actually wanted endSession to be called and then await to be resolved so that I can manually redirect to logout of the oidc server. Thoughts?

guillaume-chervet commented 4 months ago

hi @pgangwani , does you oidc server support endSessionEndpoint ?

https://github.com/AxaFrance/oidc-client/blob/3a145799098bbc64f7619a217f9854795becc50b/packages/oidc-client/src/logout.ts#L131

pgangwani commented 4 months ago

hi @pgangwani , does you oidc server support endSessionEndpoint ?

https://github.com/AxaFrance/oidc-client/blob/3a145799098bbc64f7619a217f9854795becc50b/packages/oidc-client/src/logout.ts#L131

Yes it does. Screenshot 2024-02-20 at 9 55 20 AM

pgangwani commented 4 months ago

I need to understand what is the extra setting required at OIDC server level ? How is your example app using duende redirecitng to duende's logout with just mention of post_redirect_uri: '/profile' ?

guillaume-chervet commented 4 months ago

Hi @pgangwani , some extra are defined as oidc standards and some other are specific to some oidc provider.

Do you still have some problem with logout?

pgangwani commented 4 months ago

provider

My problem was solved by my own hack of await logout();redirect(logoutUrl) but organically logging out like in your example. For which I raised this issue.

suwarnoong commented 1 week ago

Hi, I am as well facing this issue in v7.22.8.

I have the oidcServerConfiguration.endSessionEndpoint configured. I could see the end-session endpoint in Network tab. However, before it could finish, it is immediately calling auth endpoint. As the result, the end-session endpoint is cancelled.

Screenshot 2024-06-27 at 14 22 38

I tried to debug locally by adding some logs:

Screenshot 2024-06-27 at 14 25 52 Screenshot 2024-06-27 at 14 26 09

It seems like the window.location.href is called twice, end-session and auth endpoints.

Screenshot 2024-06-27 at 14 24 54

Can you take a look at this issue?

guillaume-chervet commented 6 days ago

Hi @pgangwani which browsers are you using?

I think I am staring to understand to issue. To understand well you run log out from a secured part of your app which automaticaly rerun a login ?

suwarnoong commented 6 days ago

Hi @guillaume-chervet, I am using Chrome v126.0.6478.116

Yes, I called the logout method from useOidc hook in the secured part of my app. It redirected to the end-session endpoint. Before it could finish, it redirects to auth endpoint endpoint, hence end-sesion redirection is cancelled.

pgangwani commented 21 hours ago

@suwarnoong @guillaume-chervet any help is required from me ? I still see this as an issue.

I think I am staring to understand to issue. To understand well you run log out from a secured part of your app which automaticaly rerun a login ?

suwarnoong commented 3 hours ago

@pgangwani yes, it is still an issue for me as well on latest (v7.22.9).

Could you share your own-hack for this?