OauthService.logOut(true) not logging out of the identity server.

[ajays1991]

We have a requirement where we are required to logout the user on some pages, like if the user goes to FAQ question after having a logged in session we want to explicitly terminate the session and require user to login again to go to any page.

On ngOnitof this page(faq page) we are calling this.oauthService.logOut(true) so that the user should be logged. What i have observed so far is that i did cleans up the localstorageand cookies associated with it but did't call the logout for the identity server as the result the user is able to go back to dashboard page without logging again.

Below i am providing the minimal sample code of the component

import { Component, OnInit, ViewChild, ElementRef } from '@angular/core';
import { CookieService } from 'ngx-cookie-service';
import { OAuthService } from 'angular-oauth2-oidc';
import { Title } from '@angular/platform-browser';
import { NgxSpinnerService } from 'ngx-spinner';
import * as $ from 'jquery';

@Component({
  selector: 'app-register',
  templateUrl: './register.component.html',
  styleUrls: ['./register.component.css']
})
export class RegisterComponent implements OnInit {
  modalOptions: NgbModalOptions;

  registerForm; otpForm; captureIncomeForm; captureIncomeModelRef;
  constructor(
    private cookieService: CookieService,
    private oauthService: OAuthService,
    private titleService: Title
  ) {
    this.modalOptions = {
      backdrop: 'static',
      backdropClass: 'customBackdrop'
    };
    location.onPopState(() => this.modalService.dismissAll());
    this.titleService.setTitle('*************************');
  }

  ngOnInit() {
    localStorage.removeItem('tempToken');
    this.logOut();
  }

  logOut() {
    console.log("logout calling");
    this.cookieService.delete('submissionId', '/');
    this.cookieService.delete('uType', '/');
    this.oauthService.logOut(true);
    this.cookieService.delete('submissionId', '/');
    console.log("oauthService logout called");
    return false;
  }

  azureAdlogin(message) {
    localStorage.removeItem('tempToken');
    let submissionId = '';
    if (this.cookieService.get('submissionId')) {
      submissionId = this.cookieService.get('submissionId');
    }
    this.oauthService.initLoginFlow('', {
      submissionId, ccAppUrl: window.location.origin,
      instrumentationKey: environment.appInsights.instrumentationKey, message
    });
  }
}

using angular-oauth2-oidc 8.0.4 I have also read few issues regarding this but to no help. Any suggestion/help will be appreciated.

[jeroenheijmans]

If you pass true to logOut it is passed as the noRedirectToLogoutUrl parameter. So your Identity Server is never notified of the user logging out. If your app upon initialization tries some kind of silent login mechanism then the user will be automatically logged in again.

Ask yourself: do you want to log out a user:

• A. Only in your application? or
• B. Also on the Identity Server?

In case of A, you need to have no silent login mechanism, but another app-specific mechanism. In case of B, you should pass false (or no argument) to the logOut method.

PS. To more reliably be able to help you it would be useful to have a full but minimal repro of your situation (the current code contains a lot of stuff seemingly irrelevant to the question, and some missing pieces).

Hope that helps.

[ajays1991]

yes my app has this.oauthService.tryLoginImplicitFlow(); decorated in app.component.ts module which if i comment out still takes to me dashboard page without identity claims. Is there any way i can override this in my register.component.ts.

I agree the example code is not complete.

I am also looking at this.oauthService.revokeTokenAndLogout() if this can help instead of just calling this.oauthService.logOut().

[jeroenheijmans]

So yeah, not much we (as the community for this library) can do for you, I think? It's an application concern I think, something you'll have to figure out on your end?

[jeroenheijmans]

Wups, I meant to ask with my last comment if we could now close this question - not do it outright.

[ajays1991]

yes, thanks for the info

[ajays1991]

I am reopening this issue as i have found out more after digging with the code. Now this.aouthService.logOut() needs to redirect my page to redirect url provided. I have seen there some four or five logOut() methods provided by this library which all return void. I am proposing here a new logOut() method which hits the identity server to logut the user from identity server and returns me some promise to reslove so that i can than continue my code.

this.aouthService.logOut().then(function(promise){ // my logic })

[jeroenheijmans]

I'm afraid that's impossible, as they are redirect-based flows. The user will be sent to the IDServer, and then redirected back to your SPA.

You can use the IIRC the existing overload with custom params, and use the state param to know how to route the user when they get back to your app.

[ajays1991]

I agree they are redirect based flow. Until they provide such flow we are helpless. But still we as developers should push them to have such explicit flow.

[ajays1991]

I have found a workaround it. Closing this issue and very thanks for info

[HKG102]

Hi @ajays1991, can you share the workaround for this problem, so that the silent login mechanism will not happen and logout completly