Angular-auth-oidc-client: Logoff not completed
Describe the bug
Token not deleted after logofflocal.
To Reproduce
Steps to reproduce the behavior:
- get urlLogout from oidcSecurityService in onInit (this.oidcSecurityService.getEndSessionUrl();)
- call logofflocal
- redirect to urlLogout
- angular client not redirect to idsvr login, but renew token with message "persisted id_token and access token are valid"
Expected behavior
After logofflocal we expect that authentication flow redirect to idsrv login.
Desktop (please complete the following information):
- OS: windows 10 64 bits
- Browser chrome
- Version latest stable
FDonald
All 9 comments
Hi @FDonald This should work, can you check if you called the correct logout? It should call the end session, tested this, can you compare to the examples?
Greetings Damien
damienbod
on 11 Feb 2021
Hi @damienbod thanks for reply.
this is my code in app.module:
onLogout(): void {
try {
// logout -not showing login!!!
console.log('start logoff');
this.autoLoginService.logoutLocal();
window.location.href = this.autoLoginService.urlLogout;
} catch (error) {
console.log(error);
}
}
urlLogout is correct and call correctly to idsrv logout endpoint.
autoLoginService is a service that implement autologin, like your example.
logoutLocal() {
this.oidcSecurityService.logoffLocal();
}
Url in postLogoutRedirectUri is "/autologin" that call authorize:
ngOnInit() {
this.oidcSecurityService.authorize();
}
Now, the expected behavior is that app redirect to idsrv login, but authorize silently.
FDonald
on 15 Feb 2021
Sorry I forgot, we are using reference tokens.
FDonald
on 17 Feb 2021
Hi @FDonald which logout do you call? The logout local only removes the session storage data so with SSO you would be still signed in
Also what STS d o you use?
I use reference tokens mostly as well, this has nothing to do with the logout (or at least should have nothing to do with it :) )
Greetings Damien
damienbod
on 19 Feb 2021
I am using Identityserver4, I tried call logout url from this.oidcSecurityService.getEndSessionUrl() and this.oidcSecurityService.logoff() both, but without success.
I think that cookies session arent't deleted, however, I cannot figure how to do it. Cookies sesi贸n are httpOnly.
Y tried your example autologin with my Idsrv instance without success.
FDonald
on 19 Feb 2021
@FDonald You could implement your own version of the endsession endpoint in ID4, this is easy to extend. So when the angular app calls this, you could do a full logout if you want. This can only be done on the STS. It's good that you cannot delete the cookie from the js app :)
This cannot be fixed from this lib and you have a possibiltilty to implement this on the ID4 server.
Greetings Damien
damienbod
on 19 Feb 2021
Thank you Damien, I will try do it!
FDonald
on 19 Feb 2021
Well, for all pepople that have same problem/dude, the solution is easy!
In idsrv (in this case IdentityServer4) side, we need delete auth cookies.
In this case
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("idsrv");
where Cookies and idsrv are authentication schemes used.
FDonald
on 22 Feb 2021
@FDonald thanks for posting the solution!
Greetings Damien
damienbod
on 22 Feb 2021
Related issues
Expelz
路
4Comments
jhossy
路
4Comments
Roman1991
路
4Comments
hannesrohde
路
3Comments
sdev95
路
3Comments
Most helpful comment
Well, for all pepople that have same problem/dude, the solution is easy!
In idsrv (in this case IdentityServer4) side, we need delete auth cookies.
In this case
await HttpContext.SignOutAsync("Cookies"); await HttpContext.SignOutAsync("idsrv");where Cookies and idsrv are authentication schemes used.