Angular-auth-oidc-client: On succesful logout/signoff, whenever login button is clicked it automatically login without login parameter input

Created on 18 Feb 2021  路  6Comments  路  Source: damienbod/angular-auth-oidc-client

Describe the bug
On successful logout/signoff, whenever the login button is clicked it automatically login without login parameter input

Expected behavior
whenever the login button is clicked, it should navigate to the login page of the identity server, and the user supplies the input

Additional context
Can this be controlled by a boolean property on the config? True to clear the session/ logoff completely and Flase to retain the current procedure

question
Source
picture infusync
👍1

All 6 comments

Hi @infusync This could be the SSO signing in. You authomatic login again because you are still logged into the STS (not your client) If you send a prompt param witht he authorize request, you can request a select_account maybe.

Greetings Damien

damienbod picture damienbod on 19 Feb 2021

Hello Damien, I am trying to logout completely every time, How can that be achieved using the library?.

I even use this as my logout procedure
this.oidcSecurityService.logoffAndRevokeTokens() can this logoff my session completely on the SSO/Identity server

Thank you very much for this awesome library

infusync picture infusync on 19 Feb 2021

Hi @infusync Completely logout can mean different things.

A logoffAndRevokeTokens completely logins out the identity (user + app)

  • but you are still logged into the STS

How you manage the STS is a second story. This would have to be implemented on the STS. On the authorize, you can force a login using the specification, but the implementation of this depends on the STS. For example google doesn't support anything here.

With Azure AD, you would need to login direct on the account.

With IdentityServer 4 you can end all grants and logout on the server.

So this all depends on your STS and how you want to support the SSO, logout use case.

hope this helps

Greetings Damien

damienbod picture damienbod on 19 Feb 2021

If you take the sample application for example when you click on the logout it performs the logout successfully and returns to the default page (thus presenting the login button)

The issue is when you click on the login button for a new login. it uses your last session detail to log you in without taking you to the sts login page to supply your new login credential

what if the users are not the same? that is the issue am having

Thank you Damien

infusync picture infusync on 19 Feb 2021
👍1

You should be able to use the logout for this. The local logout deletes the tokens from the storage in your browser. Even if you close the browser, this data is removed per default. The probably is that when the app starts again, when the authorize starts, the STS server has it's session and it's SSO logic. This cannot be solved by the lib but has to be solved on the server.

Hope this helps

Greetings Damien

damienbod picture damienbod on 19 Feb 2021

Thanks, Damien

infusync picture infusync on 26 Feb 2021
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

xaviergxf picture xaviergxf  路  3Comments
jhossy picture jhossy  路  4Comments
vicver82 picture vicver82  路  4Comments
haidelber picture haidelber  路  3Comments
JohnGalt1717 picture JohnGalt1717  路  3Comments