Currently, if a user has open multiple browsing contexts (tabs, windows, etc) of an application that uses ADAL, logout does not sync across the tabs. When logOut is called in one tab, others continue to maintain this._user in memory. Therefore, calls to getUser and getCachedUser in these tabs will continue to return a user object, even though the localStorage/sessionStorage entries have been removed and the user should be considered "logged out".
Effect on Yammer
Yammer is using an authenticator that checks for user presence as part of determining if a login is required during token acquisition. When a logout has occurred in one tab, and acquireToken is then called in another tab, the second tab would still be considered "logged-in", because getCachedUser still returns a user. As a result, acquireToken would be called when no login.microsoftonline.com cookies exist, causing ADAL to return AADSTS50058 (cookies not found error) and Yammer to display a third party cookie configuration error page.
Proposed fix
This PR adds a mechanism to clear the user when an external browsing context of the same origin performs a logout. The approach uses storage events instead of something like the broadcast channel api to maintain compatibility with browsers supported by Yammer (specifically IE11 and Safari).
Problem overview
Currently, if a user has open multiple browsing contexts (tabs, windows, etc) of an application that uses ADAL, logout does not sync across the tabs. When
logOutis called in one tab, others continue to maintainthis._userin memory. Therefore, calls togetUserandgetCachedUserin these tabs will continue to return a user object, even though the localStorage/sessionStorage entries have been removed and the user should be considered "logged out".Effect on Yammer
Yammer is using an authenticator that checks for user presence as part of determining if a login is required during token acquisition. When a logout has occurred in one tab, and acquireToken is then called in another tab, the second tab would still be considered "logged-in", because
getCachedUserstill returns a user. As a result, acquireToken would be called when nologin.microsoftonline.comcookies exist, causing ADAL to returnAADSTS50058(cookies not found error) and Yammer to display a third party cookie configuration error page.Proposed fix
This PR adds a mechanism to clear the user when an external browsing context of the same origin performs a logout. The approach uses storage events instead of something like the broadcast channel api to maintain compatibility with browsers supported by Yammer (specifically IE11 and Safari).