Oidc-client-js: User is signed in after logout
When user logout he is automatically signed in, so token is presented in sign in url.
Using "oidc-client": "^1.4.1"
Expecting that user will be redirected to sign in page after log out.
My sign in function
startSigninMainWindow() {
this.userManager.signinRedirect().then(function () {
console.log('signinRedirect done');
}).catch(function (err) {
console.log(err);
});
}
Sign out function
signOut() {
this.userManager.signoutRedirect().then(() => {
this.userManager.clearStaleState();
});
}
Checking user by getUser() returns null as expected
isLoggedInObs(): Observable<boolean> {
return Observable.fromPromise(this.userManager.getUser()).map<User, boolean>((user) => {
if (user) {
return true;
} else {
return false;
}
});
}
vadimkorr
All 13 comments
It seems that cookies not cleared on localhost:5000
vadimkorr
on 16 Feb 2018
When you call the signout function, is the user redirected to the token server's end session endpoint?
brockallen
on 16 Feb 2018
@brockallen thank you for reply, yes he is.
Url looks like: http://localhost:5000/account/logout?logoutId=CfDJ8GV8...
And the screenshot of logout page I have:
vadimkorr
on 16 Feb 2018
Check the HTTP response from that page -- it should be revoking the cookie.
brockallen
on 16 Feb 2018
@brockallen, it sends GET request
Request URL:http://localhost:5000/connect/endsession?id_token_hint=eyJhbGciOiJS[very-long-string-here]&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A13540%2F
Request Method:GET
Status Code:302 Found
Remote Address:192.168.50.214:5000
Referrer Policy:no-referrer-when-downgrade
and receives such response
Content-Length:0
Date:Fri, 16 Feb 2018 15:49:56 GMT
Location:http://localhost:5000/account/logout?logoutId=CfDJ8GV8LdTHmQ[long-string-goes-here]
Server:Kestrel
Set-Cookie:idsrv.session=9d94219cb09174230edaaf6ba70ce1da; path=/
X-Powered-By:ASP.NET
X-SourceFiles:=?UTF-8?B?RDpccHJvalxJRF9DbGFyaXR5MlxzcmNcSW5EZW1hbmQuSWRlbnRpdHkuU2VydmVyXGNvbm5lY3RcZW5kc2Vzc2lvbg==?=
P.S. btw, I tried to manually remove cookies from browser when I was in localhost:5000, and it helped. The next sign in required credentials as expected.
vadimkorr
on 16 Feb 2018
Check it with something like fiddler as the request is in flight -- you should see the cookie being recoked. If not, then it's something in the logout page which is broken.
brockallen
on 16 Feb 2018
@brockallen Problem was solved by adding this line of code to Logout function inside Account controller.
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
And I have couple of questions.
I have noticed the following suggestion surfing the internet, but it has no any differenece, cookies still there.
await HttpContext.SignOutAsync(IdentityServerConstants.DefaultCookieAuthenticationScheme);
In documentation here cookies cleared using the following ones
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");
But they fail with exception:
No IAuthenticationSignOutHandler is configured to handle sign out for the scheme: Cookies
No IAuthenticationSignOutHandler is configured to handle sign out for the scheme: oidc
And the questions are: What the difference between using IdentityConstants.ApplicationScheme, IdentityServerConstants.DefaultCookieAuthenticationScheme , Cookies and oidc in HttpContext.SignOutAsync? and how they influence on sign out process?
vadimkorr
on 19 Feb 2018
In documentation here cookies cleared using the following ones
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");'
Those are in the client, not in IdentityServer itself.
brockallen
on 19 Feb 2018
Hi,
I have the same issue. My code:
startSignoutMainWindow() {
this.mgr.getUser().then(user => {
return this.mgr.signoutRedirect({ id_token_hint: user.id_token }).then(resp => {
console.log('signed out', resp);
setTimeout(5000, () => {
console.log('testing to see if fired...');
});
}).catch(function (err) {
console.log(err);
});
});
};
This code works me for Angular 4 but doesn't work for Angular 5. It redirects me to login page, but logging in automatically, like it has credential details. It is not calling the end session endpoint, so doesn't do the logout properly.
"oidc-client": "^1.4.1"
Any idea how to fix that?
alekseytimonin
on 28 Feb 2018
I'm using Angular 5 as well by the way.
Hello @alekseytimonin, in my case after logging in I found a sesionid cookie which was saved by identity server. After logging out they was kept in cookies. I just removed them manually after logging out and the next login asked for a credentials.
Do you have the same behavior?
vadimkorr
on 28 Feb 2018
All set on this issue? Can we close?
brockallen
on 23 Mar 2018
Thanks @vadimkorr for your comment. It save my life 馃.
@brockallen can you shortly explain why we need to add this line to solve the problem?
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
subprime
on 19 Apr 2018
@brockallen can you shortly explain why we need to add this line to solve the problem?
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
Sorry, but I was never really sure what the real issue was. The line of code above revokes the user's cookie at the token server, which is what signout means.
brockallen
on 5 May 2018
Related issues
pawepaw
路
3Comments
mode777
路
3Comments
StephenRedd
路
5Comments
slug56
路
4Comments
LEW21
路
4Comments
Most helpful comment
@brockallen Problem was solved by adding this line of code to Logout function inside Account controller.
And I have couple of questions.
I have noticed the following suggestion surfing the internet, but it has no any differenece, cookies still there.
In documentation here cookies cleared using the following ones
But they fail with exception:
And the questions are: What the difference between using
IdentityConstants.ApplicationScheme,IdentityServerConstants.DefaultCookieAuthenticationScheme,CookiesandoidcinHttpContext.SignOutAsync? and how they influence on sign out process?