Implement log-out

[pdehaan]

Noticed I had 15 different instances of "Firefox Private Network" connected to my FxA account. Not sure if that is expected and I have lots of open tabs/browsers/profiles, or if we just aren't killing old sessions or if something else is happening.

https://accounts.firefox.com/settings/clients

/cc @rfk

[pdehaan]

Not sure this is the same issue as https://github.com/mozilla/blurts-server/issues/1131

[rfk]

One of these is created every time you "sign in" to the webextension, and they'll stick around until they're explicitly deleted. Does the webextension have any logic for deleting its refresh_token when e.g. it gets uninstalled or reinstalled?

[bakulf]

Well, each time web-ext is executed to run SP locally, a new refresh_token is generated by default. @pdehaan can you confirm that this is your scenario?

[shane-tomlinson]

Well, each time web-ext is executed to run SP locally, a new refresh_token is generated by default. @pdehaan can you confirm that this is your scenario?

Can you either destroy any held refresh_tokens when the user signs out, otherwise this happens. You should be able to call /v1/destroy on the OAuth server with the refresh_token parameter. Any existing access tokens should also be destroyed by calling destory with the access_token parameter.

[shane-tomlinson]

Well, each time web-ext is executed to run SP locally, a new refresh_token is generated by default. @pdehaan can you confirm that this is your scenario?

Ahha, I re-read this and understand better. I was trying to recreate the problem locally and kept scratching my head. I realized I'm not creating a new profile each time.

@bakulf - is there a way to sign out of the addon once signed in, that's where we'd want to destroy the access and refresh tokens. We unfortunately do not advertise anything like a destroy_endpoint from /.well-known/openid-configuration, nor do we yet support OIDC RP initiated logout.

[pdehaan]

Well, each time web-ext is executed to run SP locally, a new refresh_token is generated by default. @pdehaan can you confirm that this is your scenario?

Yeah, I think that makes sense. I took a few minutes to nuke all my "Firefox Private Network" and "Firefox Monitor" devices+apps from the FxA admin panel, and then launched npx web-ext run a couple more times locally, and each time I ran it, it created a new entry in https://accounts.firefox.com/settings/clients?uid=...

Not sure if it would be nice to add a "Logout" link in the menu to explicitly allow users to log out of Secure Proxy and delete their token without having to go into FxA and revoke and then wait 6 hours. I'm trying to imagine a use case of being on a shared computer. I can sign into my FxA, revoke tokens, sign out, but the Secure Proxy add-on always seems to say I'm logged in. I haven't tried waiting the 6 hours with this particular Nightly instance to see how/if it can renew a token, but it does always seem to show my email+avatar. Clicking that "Manage your Account" link does force me to try logging into FxA again, so I don't see a big risk there. Just would feel odd to me if I used a shared computer in a library or Apple store and saw I was possibly logged into somebody else's Firefox Account for proxying with no way of logging out and using a different account.

[bakulf]

@bakulf - is there a way to sign out of the addon once signed in, that's where we'd want to destroy the access and refresh tokens. We unfortunately do not advertise anything like a

No, we don't have this feature (yet).

[johannhof]

@arthur-mozilla we think this could be solved by adding some form of "logging out" by either destroying the access tokens on uninstall or implementing an explicit "log out" action. What's your take on this?

[arthur-mozilla]

@arthur-mozilla we think this could be solved by adding some form of "logging out" by either destroying the access tokens on uninstall or implementing an explicit "log out" action. What's your take on this?

Seems to be related to #356. I think we should definitely destroy access tokens on uninstall. It might also be useful to have an "unsubscribe" button, but given that we already have a "delete account" button, I'm not sure it's necessary?