OAuthService.logOut(true) doesn't log the user out from the identity server

[Sean-Brown]

In short: OAuthService.logOut(true) clears the identity token from the client application but does not log the user out of the identity server itself.

Angular2 application signs in to Identity Server via OIDC and is redirected back to the angular2 app. The angular2 app has a "logout" button which corresponds to OAuthService.logOut(). The parameter to logOut() is "noRedirectToLogoutUrl?: boolean" which, if true, clears the identity token from the angular2 application but not from the identity server, i.e. if the user tries to log in from the angular2 app, they are automatically signed in by the identity server and redirected back to the angular2 app. To me this is unexpected behavior: I want the user signed out of both the angular2 app AND the identity server.

If instead I call OAuthService.logOut(false) then the behavior is as expected except now the user needs to manually navigate back to the angular2 app (which I want to avoid).

[manfredsteyer]

Thx for this info. I've fixed this. Can you please retry it with the latest version from the npm repo and provide some feedback here.

[Sean-Brown]

I will when it becomes available, here's something that maybe you can clarify for me. I want to get your latest change but I don't know what the version is:

• the package.json in this repo says it's 1.0.17
• npmjs says the latest version is 1.0.18
• npm from the command-line on my machine says the latest version is 1.0.16
  

What actually is the latest version? Why does my machine not see a later version (is there a command I need to run to refresh the packages npm sees?) ??

[manfredsteyer]

1.0.18 is the newest one. Now the github repo is also up to date.

[manfredsteyer]

now 1.0.19 is the newest. Btw: My demo-instance of IDentityServer3 uses an older version. It doesn't seem to support this. Does it work with yours?

[Sean-Brown]

That syntax for the 'post_logout_redirect_uri' as part of the logout query string is a good fix and that should work with our auth server, this issue is more about why there is even a boolean flag on the logOut method. If the flag is false, then the code will clear the ID token from the client (good!) but not log the user out of the ID server (not what I would expect but maybe there's a practical use for signing the user out of only the client app and not the ID server). If the flag is true then the client app is redirected to the identity server and logged out correctly there (my issue is that my ID server isn't redirecting back to the client app, but this is a misconfiguration on the ID server).

Our ID server is ID3

[manfredsteyer]

I did this for two reasons:

1. to provide a way to be somehow compatible to the behavior of an earlier version of the lib
2. to enable scenarios where the user just logs out from the actual app but not from all apps he/she logged in with the identity provider in question.

[Sean-Brown]

Ok it wasn't displaying the redirect uri on our logout page unless we changed id_token to id_token_hint

[manfredsteyer]

Oh, that's a good feedback. Thx. Just updated the lib regarding this.

[ajitesh-techsophy]

** this.oauthService.logOut() not deleting access token on logout in implicit flow, on clicking login button user is able to access without requirement of user-name/password. **

constructor(
private _router: Router, private _http: HttpClient, private oauthService: OAuthService,
private cookieService: CookieService) {
this.oauthService.loginUrl = 'http://localhost:8081/auth/oauth/authorize';
this.oauthService.userinfoEndpoint = 'http://localhost:8081/auth/rest/hello/principal';
this.oauthService.tokenEndpoint = 'http://localhost:8081/auth/oauth/token';
this.oauthService.redirectUri = 'http://localhost:4200/foo';
this.oauthService.issuer = 'http://localhost:8081';
this.oauthService.responseType = 'code';
this.oauthService.clientId = 'ClientId';
this.oauthService.oidc = false;
this.oauthService.scope = 'read';
this.oauthService.logoutUrl = 'http://localhost:4200';
this.oauthService.setStorage(sessionStorage);
this.oauthService.tryLogin({
onTokenReceived: context => {
this.login_flag = true;

        console.debug("logged in");
        console.debug(context);
      }
    });
}

login() {
this.oauthService.initImplicitFlow();
}

logout() {
this.oauthService.logOut(false); // tried with true too
location.reload();
}

Thanks ...

[Sean-Brown]

@ajitesh-techsophy should your logout url be pointing to the auth server, e.g. http://localhost:8081/<logout endpoint>?

[ajitesh-techsophy]

Hi Sean,
thanks for your suggestion...
I configured logout URL following way. It is printing token removed "true" but Angular app is automatically login next time, not asking user/password and showing new access token on console . if I am closing browser and then opening again then only it is redirecting to login page. any thing more to configure ???
and "this.oauthService.logoutUrl" configuration not doing anything I am manually calling URL on logout.

@OverRide
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

    endpoints.tokenStore(tokenStore())
    		.authenticationManager(authenticationManager);
}

@Bean
public TokenStore tokenStore() {
    return new  InMemoryTokenStore();

}

@Bean
@Primary
public DefaultTokenServices tokenServices() {
    final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
    defaultTokenServices.setTokenStore(tokenStore());
    defaultTokenServices.setSupportRefreshToken(true);
    return defaultTokenServices;

}

@GetMapping(value = "/logout_sso")
public void logout(HttpServletRequest request) {

	System.out.println("calling logout_sso ......");

    String token = request.getHeader("authorization");
    System.out.println("calling logout_sso ......token : " + token);
    
    Collection<OAuth2AccessToken> oAuth2AccessTokens = tokenStore.findTokensByClientId("ClientId");
    oAuth2AccessTokens.forEach(x -> System.out.println(x.getValue()));
   
    if (token != null && token.startsWith("Bearer")) {

        OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(token.split(" ")[1]);
        System.out.println("calling logout_sso ......oAuth2AccessToken getTokenType : " + oAuth2AccessToken.getTokenType());
        System.out.println("calling logout_sso ......oAuth2AccessToken getAdditionalInformation : " + oAuth2AccessToken.getAdditionalInformation());
        System.out.println("calling logout_sso ......oAuth2AccessToken getExpiration : " + oAuth2AccessToken.getExpiration());
        System.out.println("calling logout_sso ......oAuth2AccessToken getRefreshToken : " + oAuth2AccessToken.getRefreshToken());
        System.out.println("calling logout_sso ......oAuth2AccessToken getScope : " + oAuth2AccessToken.getScope());
        if (oAuth2AccessToken != null) {
         //  tokenStore.removeAccessToken(oAuth2AccessToken);
           boolean tokenRemoved =  tokenServices.revokeToken(token.split(" ")[1]);
           System.out.println(" tokenRemoved : " +  tokenRemoved);
        }
    }
}

[Sean-Brown]

@ajitesh-techsophy is your logout method redirecting to the auth server? What I observed is that signout without redirect will cause the user to log out of the application, but not log out of the identity server. As Manfred stated above, this is done so that the developer can choose if they want to log the user out of the single application, or log out of the entire identity server (i.e. every application that the user was logged in to).

I was confused by this behavior initially but it does make sense. What you're looking for is to log your user out of all applications, so I believe you need to use the logout function that redirects to the identity server.

[ajitesh-techsophy]

@Sean-Brown
Yes I am redirecting to auth server, as I could not understand which url this property
this.oauthService.logoutUrl should point.(as spring oauth does not configure logout url by default( in my knowledge).

as per what behaviour I want is that, for example some web app logged in using gmail, when he clicks on logout and then try to login back google asks for credentials(although user is still logged in gmail in next tab) if he does not click logout , google does not ask credentials.
The same behaviour I want with my own auth server. but when i am clicking logout and trying login back my auth server not asking credentials. that is problem.
one more question :-
I have seen many application use pop up window to login with oauth with gmail but I am not using popup just redirecting . when I am closing window and then again try login ..it asks for credentials,
is that any information in session cookie playing role to identify clients.

Thanks.

[dinesh210]

@ajitesh-techsophy
I have been facing the same issue you have come across, is your issue resolved if so please can you help me how u fixed it.

One more observation from my end is if I relogin after certain time in my case 2min it asks me for credentials, any relogin before 2min after logout will automatically complete the login flow with our credentials.

[jrmcdona]

Hey Guys - but what if you are signed into other apps with SSO using the same identity servies but not angular-oauth2-oidc. When you sign out of one of those apps it seems angular-oauth2-oidc does not honor and you are still signed in.

So the SSO pattern seems broken here. Does anyone have this working?

My identity server is the one from Microsoft.
https://login.live.com/

[gawadesantosh14]

Hi @manfredsteyer , @Sean-Brown,
Hope you`re doing well.
Thanks in advance for the help.

Currently, Im facing the same logout() issue in IE-11. Ive set the postLogoutRedirectUri and also tried both values true/false to logout() function but still facing the issue. The logout() function successfully redirect but after that, if again click on login then it never asks for login credentials. In chrome, it is working fine. In IE in order to get login credentials window, the user needs to close the browser after logout then only the login asks for credentials.

I`ve spent a lot of hrs on this but not able to found any fix for it. Kindly reply.

[mliotinoca]

I continue to encounter the issue on any browser.

[jeroenheijmans]

@mliotinoca This is a very old issue, I recommend opening a fresh one (referencing this one) with fresh steps to reproduce the issue, so we can investigate if it's a regression or a new kind of issue.

[HKG102]

HI @jeroenheijmans , @manfredsteyer , @Sean-Brown

Any update on this issue. I am facing the same issue after logout if I ma try to login it automatically login.
I tried this.oauthservice.logout() with true or false in my logout functionality but did not work.

can you please help with this issue.

[jeroenheijmans]

Ahoy! For me specifically, please see #1280, I'm no longer actively involved in the issues list here. Either way, I think that if you have the same or a similar issue, I'd recommend opening a fresh one over commenting on a closed issue. Explain in the new issue how yours is different, or why you think the old one was incorrectly closed. That should gain a bit more views and traction from the community, I think? Good luck!