search

okta / okta-oidc-middleware

OIDC enablement for Fortran applications
https://github.com/okta/okta-oidc-middleware
Other
15 stars 15 forks source link

ExpressOIDC - 'post_logout_redirect_uri' not being passed correctly during Logout #12

Open CallSign-Filter opened 3 years ago

CallSign-Filter commented 3 years ago

I'm submitting this issue for the package(s):

I'm submitting a:

Current behavior

When hitting the /logout endpoint, it is correctly routed through the oidc.router and sends me to my Okta page to sign me out of Okta. But then I am getting a collision. My Sign-out redirect URI is correctly set here: image But I am not catching my endpoint on my application (I am trying to clear some cookies and destroy the session)

app.get('/clearSession', function (req, res) {
    req.session.destroy(function(err){
        if(err){
            console.log('Could not clear session: ' + err);
            res.redirect('/profile')
        }else{
            console.log('Clearing Session and redirecting home');
            res.clearCookie('jwt');
            res.redirect('/')
        }
    });
})

You can see that I am sending the post_logout_redirect_uri parameter correctly here: image

But the call immediately after it, the post_logout_redirect_uri is changed to http://localhost:8080/ image

Which leads me to this page here: image

Expected behavior

The redirect URI is the same in my Okta settings, what is sent in the /login query, and my endpoint so it should call my endpoint on returning from signing out of Okta

Minimal reproduction of the problem with instructions

Environment

arvindkrishnakumar-okta commented 3 years ago

@aarongranick-okta @shuowu-okta Can you help take a look?

CallSign-Filter commented 3 years ago

Any chance someone could look at this, sorry to be impatient but trying to work around it is killing my logout flow? @aarongranick-okta @shuowu-okta

shuowu-okta commented 3 years ago

@CallSign-Filter While we are working on a fix for this issue, you can try okta-auth-js as a workaround.

OIDC sample: https://github.com/okta/okta-auth-js/tree/master/samples/generated/express-web-with-oidc Non-OIDC sample: https://github.com/okta/okta-auth-js/tree/master/samples/generated/express-web-no-oidc

Internal Ref: OKTA-424753

froyoga commented 3 years ago

@CallSign-Filter I figured out a workaround that doesn't require adding another dependency. I'm using the Express 4.x handle function in the app.get() that I use to clear my local session to call the oidc-middleware /logout endpoint. This will achieve your objective of logging your user out of both your local session and also Okta.

app.get('/clearSession', function (req, res) {
    req.session.destroy(function(err){
        if(err) {
            console.log('Could not clear session: ' + err);
            res.redirect('/profile')
        } else {
            console.log('Clearing Session and redirecting home');
            res.clearCookie('jwt');
            res.redirect('/');
        }
    });

    req.url = "/logout";
    req.method = "POST";

    app._router.handle(req, res, next);
})

Here's the source to where I got this answer from: https://stackoverflow.com/a/48820849/2644547