Closed gabrielmancini closed 1 year ago
LuchoTurtle
commented
1 year ago Hey @gabrielmancini ! Thanks for opening the issue :) I'm afraid I don't quite understand your phrasing. Do you want a function that logs out an AD user from your Phoenix App?
gabrielmancini
commented
1 year ago yes, when i block, or delete or revoke user session on active directory like this:
i want to the user logout from the app
LuchoTurtle
commented
1 year ago Although I think there's something we can do about logging the user out of the app conditionally by implementing a logout() function, I think the behaviour of logging out of the app immediately is currently unattainable through Azure.
However, I think there's something we can do about how the library behaves once a user can't re-authenticate properly.
The problem you've described is effectively an auth strategy downside to having access tokens and refresh tokens. When an user is authorized, Azure AD issues these tokens for the resource. These last 1 hour by default. You may silently reauthenticate the user by passing the refresh token whenever the access token expires after one hour. However, if you want to revoke an access token during that time, the user will only effectively lose access to the resource after the expiration period is surpassed (because they can't refresh the token - it was revoked).
This issue is not related only to this package, it's generalized to packages that use this auth grant workflow.
For example, msal-react (which is the official Microsoft package for React web applications to deal with authentication with Azure) also has this "problem".
Labelling this as a "problem" is a debate on itself. You can certainly reduce the expiration window to 30 minutes so the user has to silently re-authenticate and have a new access/refresh token pair more times but this will spark a debate on scalability/latency/etc...
Azure is developing a thing called Continuous Access Evaluation to tackle this subject, where they evaluate the token's validity near-realtime. But this is only available on Exchange, Teams, and SharePoint Online resources, not all Azure resources.
This library makes it easier for you to follow the OAuth 2.0 authorization code flow (recommend reading this doc from Microsoft to understand how tokens work in this authorization flow).
If you want to learn more about Revoking user access on Azure AD, check https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access#access-tokens-and-refresh-tokens.
When you revoke user access in Azure AD, the user won't immediately lose access to your resource. You'll have to wait until the access token expiration time is reached and they no longer can refresh the token because their access was revoked.
What can possibly be done is implementing a callback URL into this library so that whenever the user is not able to re-authenticate, logging the user out and redirecting them to the homepage of the Phoenix application.
LuchoTurtle
commented
1 year ago Hm, having a bit of trouble with this...
I'm getting an ErrorInsufficientPermissionsInAccessToken error when trying to fetch the profile with the token.
Having read through https://learn.microsoft.com/en-us/answers/questions/880570/having-an-issue-with-oauth2, I've already checked...
the delegated permissions of the app registration.
the contents of the id_token jwt .
and the supported account types.
But I keep stumbling upon this error trying to fetch the user profile...
I've inclusively refreshed the secret and have updated it accordingly but it doesn't seem to work :/
gabrielmancini
commented
1 year ago as the lib has a login lik, what about having a logout link too? i think this can be achive lookin in throw this https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request one more thing i am implementing a multi-tenant application, because that i need an information about subdomain, and the way i found to test the sso is using a tunnel using: npx localtunnel --port 4000 -s ecolab your url is: https://custom1.loca.lt, unfortunately the localtunnel is very unstable and very often give an timeout, i think is because i am using the new version of the phx.gen.auth to manager the users and this version are using liveview... someone already faces something like this? there is a better tunnel software to test, or even better, someone already needs to create an exUnit for some like that? sorry about the (maybe) off-topic, its just to add some context... and maybe some north
LuchoTurtle
commented
1 year ago For more information on how the logout process works, Microsoft has this document with the endpoint people need to be redirected to so they end their account session within Microsoft's identity server -> https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request.
Hello... great lib btw.
what about logout? there is some gotcha to block an ad user and the user logout the phoenix app?
thanks