Oidc-client-js: Logout without redirect
First I'd like thank you for making this library, it is really useful and time saver.
I'd like to handle the logout without redirecting the user to the identity provider, so basically do it in the background and then notify the user they are logged out. This would be for the local idp only. The purpose for this is in my opinion for my local idp it is a better user experience for the user with a spa application.
Question 1) If there is an example of doing a logout without redirect with this library please direct me to it. If not my request is if you can give me high level of the steps to take with this library?
Based on my understanding there are a couple of requests done to logout:
1) Request to /connect/endsession?id_token_hint=
Question 2) How do I get the id_token_hint with this library ?
2) Then a request to http://localhost:5000/account/logout?logoutId=
This I believe is provided by the idp with a 302 so should not be a problem.
Question 3) Once the user is logged out how do I make sure the library is aware of the logged out state ?
Thanks,
E
Exocomp
All 8 comments
If there is an example of doing a logout without redirect
The UserManager will redirect on the signout. The base class OidcClient can just generate the signout URL for you and then you could do that in a iframe if you wanted.
How do I get the id_token_hint with this library
It's the id_token on the user object returned from getUser()
Once the user is logged out how do I make sure the library is aware of the logged out state
If the OP supports the session management spec, then the library will automatically detect and raise the userSignedOut event (https://github.com/IdentityModel/oidc-client-js/wiki)
brockallen
on 5 Feb 2017
Thanks for the quick response.
The base class OidcClient can just generate the signout URL for you and then you could do that in a iframe if you wanted.
This is exactly what I'm after, I just need signout url. Please excuse my ignorance, what method do I call on OidcClient to get the logout url?
Thanks,
E
Exocomp
on 5 Feb 2017
createSignoutRequest
brockallen
on 5 Feb 2017
Thanks, I got the logout url, that was easy, :). Your the man!
Exocomp
on 5 Feb 2017
@Exocomp can you share how did you implement the silent logout?
fateh14
on 20 Dec 2018
@Exocomp can you share how did you implement the silent logout?
In my case with a Promise like this:
userManager.createSignoutRequest().then(signout_request => {
api.get(signout_request.url)
.then(response => {
resolve(response)
}).catch(e => reject(e))
})
stegithub
on 7 Jun 2019
@stegithub That is not removing my user token from the UserManager. Am I missing something?
My current implementation using Angular 7:
this.userManager.createSignoutRequest().then(signout_request => {
this.http.get(signout_request.url, { responseType: 'text' }).subscribe(res => {
console.log(res); //<= ID server html page
});
this.router.navigate(['timeout-page']);
});
Narshe1412
on 26 Jul 2019
Some things to consider for a silent logout.
xhr/fetch
If you want to call the endsession endpoint using xhr/fetch, you'll need your site to be CORS enabled in the Provider. Also consider that the OP won't be able to perform front-channel logout in other sites using the same session. For that reason, I think that this method should be discouraged.
iframe
endsession endpoint may redirect to a page to perform front-channel logout in other sites. It may happen that the logout page is set up with CSP policies that prevents it from rendering in an iframe.
So, if your OP doesn't support rendering the logout page in an iframe, consider using signoutPopup instead of trying to perform a silent logout.
pmoleri
on 25 Oct 2019
Related issues
shesellsanctuary
路
4Comments
saeed-badar
路
4Comments
pawepaw
路
3Comments
pottabathini
路
5Comments
arnaldo-infinite
路
4Comments
Most helpful comment
@Exocomp can you share how did you implement the silent logout?