manfredsteyer / angular-oauth2-oidc

Support for OAuth 2 and OpenId Connect (OIDC) in Angular.
MIT License
1.9k stars 688 forks source link

Add the hability to end session on the server but without redirecting to postLogoutRedirectUri #1406

Open pablolp95 opened 7 months ago

pablolp95 commented 7 months ago

Currently, in our project, we have the config variables postLogoutRedirectUri and redirectUri, properly specified in our configuration file for the angular-oauth2-oidc, so when the user do a logout manually, he is redirected to our home page. However, in one scenario, we'd like to end the session in the OIDC server without having to redirect the user to home page. This should be possible by using the 'logOut' method with the customParameters parameter set as true ( oauthservice.logout(true) ). The issue is that when we do so, the library deletes all the auth info stored in the browser but does not end the session in the server because of that part of the code:

if (noRedirectToLogoutUrl) { return; }

I think the variable 'noRedirectToLogoutUrl' should be used when the method constructs the 'logoutUrl' in order to not add the 'post_logout_redirect_uri' parameter in the URL:

const postLogoutUrl = noRedirectToLogoutUrl ? '' : this.postLogoutRedirectUri || (this.redirectUriAsPostLogoutRedirectUriFallback && this.redirectUri) || '';

As an alternative I had to remove the postLogoutRedirectUri paraemeter from my config file, add the parameter redirectUriAsPostLogoutRedirectUriFallback as false and include always in my code the 'post_logout_redirect_uri' as a custom parameter for the logout method. I think this is not best way to handle this issue.

Thanks in advance.

zelanter commented 2 months ago

I am late to the party but if I understand your post correctly you are not fully grasping the difference between postLogoutRedirectUri and logoutUri (as in noRedirectToLogoutUrl). The former tells the authorization server where to redirect after logout while the latter is the authorization server itself.

Logout is done by calling proper logout url from authorization server.

For your need of doing full logout while staying on page, you could maybe use an iframe for the logout or open your angular logout route in another tab. I don’t really understand the purpose though.

If all you want is to define a dynamic page to land on after logout then use session storage or something to control that and redirect to that from post logout uri route.