search

jbreckmckye / electron-auth0-login

Helper widget for Auth0 authentication in Electron desktop apps
MIT License
27 stars 19 forks source link

Logout() #20

Closed iamkhalidbashir closed 3 years ago

iamkhalidbashir commented 3 years ago

Using logout() it does clear the keytar data so next time when the user tries to log in a new browser window appears to ask the user about logging in:- Screenshot from 2020-11-09 21-21-53

The issue The issue however is that it doesn't call the IDP logout endpoint (https://auth0.com/docs/logout/log-users-out-of-idps) so next time when a new user tries to login he automatically logs into the first account, whether you press "Not your account?" or not.

Last screen after the user logs in without any auth0 email or password:- Screenshot from 2020-11-09 21-23-57

jbreckmckye commented 3 years ago

Hi Khalid, thanks for the bug report.

It looks like Auth0 is remembering the session when the browser window is opened. I think disabling that functionality would be the way to go, rather than making the app logout sign the user out of the SSO system. You wouldn't expect that logging out of a single desktop app would log you out of e.g. your mobile Google account, for instance.

It's been a while since I worked with Auth0 but I think it should just be a matter of deleting any Auth0 session cookies. If I create a beta release with this in place could you help me test it? I don't have a good testbed for Auth0 Electron right now.

iamkhalidbashir commented 3 years ago

Hi Khalid, thanks for the bug report.

It looks like Auth0 is remembering the session when the browser window is opened. I think disabling that functionality would be the way to go, rather than making the app logout sign the user out of the SSO system. You wouldn't expect that logging out of a single desktop app would log you out of e.g. your mobile Google account, for instance.

It's been a while since I worked with Auth0 but I think it should just be a matter of deleting any Auth0 session cookies. If I create a beta release with this in place could you help me test it? I don't have a good testbed for Auth0 Electron right now.

yes @jbreckmckye it is indeed a matter of clearing session I will close this for anyone having this issue please use this code to clear the session:-

export const clearStorageData = async ses => {
  await ses.clearStorageData({
    storages: ['cookies'],
  })
}

Note: You can also modify function about to delete cookies of only your IdP

jbreckmckye commented 3 years ago

You shouldn't need to do that - if we call the Auth0 logout endpoint I believe it will just wipe the relevant session cookies. Or I assume we can use the Electron cookies API.

It should be handled by the library if possible. At present this looks quite broken. I'm not sure when this started to happen, but I'd be keen to fix it.

Also you presumably wouldn't want to wipe all cookies across all domains; there could be non-login cookies in scope.

iamkhalidbashir commented 3 years ago

You shouldn't need to do that - if we call the Auth0 logout endpoint I believe it will just wipe the relevant session cookies. Or I assume we can use the Electron cookies API.

It should be handled by the library if possible. At present this looks quite broken. I'm not sure when this started to happen, but I'd be keen to fix it.

Also you presumably wouldn't want to wipe all cookies across all domains; there could be non-login cookies in scope.

the logout function works logs out the user from auth0, which works perfectly fine but it does not logs out the user from the Identity provider page. For example Micosoft Azure IDP dosent log out the user on calling the logout() method.