search

IdentityModel / oidc-client-js

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
Apache License 2.0
2.43k stars 840 forks source link

How to use SignoutRedirect using id_token_hint for log out completely #1150

Closed Murugananths closed 4 years ago

Murugananths commented 4 years ago

Hi Team,

I am using oidc client library for authentication in OfficeJs application and below are the scenario's required help.

1) I was able to login and get access token successfully with below code.

auth.ts

Office.initialize = function () {
    var settings = {
      authority: "https://xxxx.com/xx/v1",      
      client_id: "https://xxxx.com/",
      redirect_uri: "https://localhost:3000/taskpane.html",
      // silent_redirect_uri:"https://localhost:3000/taskpane.html", 
      post_logout_redirect_uri: "https://localhost:3000/logout.html", 
      revokeAccessTokenOnSignout: true,      
      response_type: "id_token token",
      scope: "openid read:xxxxx read:xxxxx",
      state: true,
      filterProtocolClaims: true,  
      loadUserInfo: true,
      nonce:true, 
      clearHashAfterLogin: true,   
      monitorsession:true,  
      metadata: {        
        issuer: 'https://xxx.com/oauth2/v1/',  
        authorization_endpoint:  "https://xxxx.com/xxx/v1/connect/authorize",
        end_session_endpoint: "https://qxxx.com/xx/v1/logout"
    }    
    };
    var mgr = new Oidc.UserManager(settings);    
    mgr.signinRedirect();
    mgr.signinRedirectCallback().then((user)=>{
      console.log(user);
    })  
}

2) But when trying to log out, only access token got cleared but cookies and all not clearing. Kindly help how to generate parameter with id_token_hint to be pass in signoutRedirect. Because once as a user logged out then if again trying to log in it is not asking credentials and it is getting signed in.

logout.ts

Office.initialize = () => {
  var settings = {
    authority: "https://xxxx.com/xx/v1",      
    client_id: "https://xxxx.com/",
    redirect_uri: "https://localhost:3000/taskpane.html",
    // silent_redirect_uri:"https://localhost:3000/taskpane.html", 
    post_logout_redirect_uri: "https://localhost:3000/logout.html", 
    revokeAccessTokenOnSignout: true,      
    response_type: "id_token token",
    scope: "openid read:xxxx read:xxxx",
    state: true,
    filterProtocolClaims: true,  
    loadUserInfo: true,
    nonce:true, 
    clearHashAfterLogin: true,   
    monitorsession:true,  
    metadata: {        
      issuer: 'https://xxxx.com/xx/v1/',  
      authorization_endpoint:  "https://xxxx.com/xx/v1/connect/authorize",
      end_session_endpoint: "https://xxxx.com/xx/v1/logout"
      // end_session_endpoint: 'http://localhost:3000/logout.html'
  }    
  };
  var mgr = new Oidc.UserManager(settings); 
  mgr.signoutRedirect(); 
  // mgr.signoutRedirect({ 'id_token_hint': this.user.id_token });  
  // mgr.revokeAccessToken();
  // mgr.clearStaleState();
  $("document").ready(function () {    
  localStorage.removeItem('accessToken');  
  localStorage.clear();
  // window.location.reload(true);
  });
Murugananths commented 4 years ago

Hi team... Any update please?

Murugananths commented 4 years ago

Hi team...have you had a chance looking into this?

Murugananths commented 4 years ago

Hi Team, Any update please?

thiagomeireless commented 4 years ago

I'm using it like this, I'm not sure if it's the right/best way, but it works for me. I hope it helps:

    const mgr = new Oidc.UserManager(settings); 
    const signoutUrl = await mgr.createSignoutRequest({id_token_hint: user.id_token});

    window.location.href = signOutUrl.url;
jimmytb commented 4 years ago

hi @Murugananths

I was having the same problem. One of the things that worked for me, but is a workaround was the following:

In your config/settings add: prompt: 'login',

It is also possible to use it like this manager.signinPopup({prompt: 'login'}).then((user) => setUser({ user: user }));

This will prompt the user an login screen instead of signing in the user directly. I hope this helps you.

Murugananths commented 4 years ago

Thanks team for the information. I will try and let you know if still any issues...

brockallen commented 4 years ago

I don't follow the problem. You're saying the token server does not support the end session endpoint?

Murugananths commented 4 years ago

Hi Team, I was able to log out completely with below coding. When login again it is asking credentials as expected. end_session_endpoint: "https://xxxx.com/xx/v1/connect/endsession

But one more issue have been facing that post log out it is not redirecting to specified postlogouturl (https://localhost:3000/logout.html). When i trying to debug with idsrv code where logout method called twice hence on second call id_session_hint became null and it is redirecting to idsrv login home page which is different from postloguturl. Can you please help on this?

Murugananths commented 4 years ago

@brockallen ...any update on this?

brockallen commented 4 years ago

Check your logs at the STS.

LilanSilva commented 3 years ago 
id_token_hint

id_token used to resolve and identify user session & post logout url. that is the reason. you are correct