AzureAD / azure-activedirectory-library-for-js

The code for ADAL.js and ADAL Angular has been moved to the MSAL.js repo. Please open any issues or PRs at the link below.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/adal-angular
Apache License 2.0
626 stars 373 forks source link

[Yammer] improve logout experience in multiple tabs of the same application #915

Closed jessemartin closed 4 years ago

jessemartin commented 4 years ago

Problem overview

Currently, if a user has open multiple browsing contexts (tabs, windows, etc) of an application that uses ADAL, logout does not sync across the tabs. When logOut is called in one tab, others continue to maintain this._user in memory. Therefore, calls to getUser and getCachedUser in these tabs will continue to return a user object, even though the localStorage/sessionStorage entries have been removed and the user should be considered "logged out".

Effect on Yammer

Yammer is using an authenticator that checks for user presence as part of determining if a login is required during token acquisition. When a logout has occurred in one tab, and acquireToken is then called in another tab, the second tab would still be considered "logged-in", because getCachedUser still returns a user. As a result, acquireToken would be called when no login.microsoftonline.com cookies exist, causing ADAL to return AADSTS50058 (cookies not found error) and Yammer to display a third party cookie configuration error page.

Proposed fix

This PR adds a mechanism to clear the user when an external browsing context of the same origin performs a logout. The approach uses storage events instead of something like the broadcast channel api to maintain compatibility with browsers supported by Yammer (specifically IE11 and Safari).