Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signout() does not sign me out of my application #391

Open
Kibaru opened this issue Sep 26, 2023 · 9 comments
Open

signout() does not sign me out of my application #391

Kibaru opened this issue Sep 26, 2023 · 9 comments

Comments

@Kibaru
Copy link

Kibaru commented Sep 26, 2023

I have used your library for my Joomla SSO authentication. Hovewer, on signout with this library as below, signout is triggered successfully but for some reason am not logged out. Am still able to access my application without having to sign in again. What am I missing? Thanks in advance

                  public function onUserLogout()
                    {
                        $this->sso_key = $this->params->get('sso_key');
                        $this->sso_secret = $this->params->get('sso_secret');
                        $this->issuer = $this->params->get('sso_auth');
                        $this->logoutLink = $this->params->get('sso_logout');

                        $oidc = new Jumbojett\OpenIDConnectClient($this->issuer, $this->sso_key, $this->sso_secret);
                        
                        $session = JFactory::getSession();
                        $user = $session->get('loggedinUser');
                        $session->destroy(); //This will destroy the joomla session
                        $token = $user["id_token"];
                        
                        $oidc->signOut($token, $this->logoutLink);
                    }
@DeepDiver1975
Copy link
Collaborator

sign out takes the id_token and not the access token ....

@Kibaru
Copy link
Author

Kibaru commented Sep 29, 2023

sign out takes the id_token and not the access token ....

@DeepDiver1975 Thanks for your reply. That's exactly what am using for signOut(). It's just the naming. Below is how I get the id_token value after successfully authenticating with OIDC library. $oidc->getIdToken()

I get the id_token then store it in a session, then access the token on my logout function and destroy the session before proceeding to call the library signOut() function

@Arafatmollik1
Copy link

@Kibaru did it finally worked?

I was able to make it work. but it does not redirect me to correct logoutLink

@Kibaru
Copy link
Author

Kibaru commented Oct 3, 2023

@Arafatmollik1 am yet to find a solution yet. How did you make it work? Kindly share..

For the redirect logoutLink, this is what I understand:

  1. Ensure your logoutlink is registered with you (OP) - Open Id Provider.
  2. And then for logout as per this library, you need to call the signout function and pass the id_token and the registered logoutlink such as below

$oidc->signOut($id_token, $logoutLink);

for my case the logout is triggered and redirected okay but I realized am still logged in

@Arafatmollik1
Copy link

Arafatmollik1 commented Oct 3, 2023

@Kibaru
I found the solution for my redirect problem described previously. You are right I did not configure my redirect link in the provider properly which is why it was not working.
Now regarding your issue, the token variable here -> $oidc->signOut($token, $this->logoutLink);
are you sure this is id token?

there is two token one can be id token and the other can be access token make sure you use id token not the access token!

@Kibaru
Copy link
Author

Kibaru commented Oct 3, 2023

@Arafatmollik1 I have just counter checked again. Am passing the id token and not the access token. I get the id token like below. Please correct me if am wrong

$oidc->getIdToken() //$oidc is an instance of this library

Let me try to rephrase my issue again..

When I first visit my dashboard, SSO is triggered and am prompted to enter my login credentials. When I click logout, SSO is triggered again and am logged out successfully and even redirected to the logout url.

But if I then try to access the same dashboard url on a new tab or even on the same tab, I see that sso is triggered but now this time am not prompted to enter login credentials which should be the case. For some reason am able to access the same dashboard without having to add my login credentials. This is now my issue..

@Arafatmollik1
Copy link

@Kibaru Yes I understand. The only suggestion I can give you is, save the id token into a cookie or session when you login for the first time. Something like this
function login(){
//when the user tries to log in
$_SESSION['id_token'] = $id_token;
}

and then when user tried to logout

public function onUserLogout()
{
$token = $_SESSION['id_token'];

                    $oidc->signOut($token, $this->logoutLink);
                }

@Kibaru
Copy link
Author

Kibaru commented Oct 4, 2023

Thanks @Arafatmollik1 but that exactly how I have implemented mine. For your case, have you tried to access the protected pages after logout by directly typing link on a new tab? Is SSO triggered and does it prompt you to enter your login credentials...

@Arafatmollik1
Copy link

@Kibaru Yes The session successfully get destroyed and also when I try to log in once again then I am NOT automatically logged in to my application. Check also if you are required to have "Secure connection" I had this problem that I needed to use "https" . Also, check if for any reason the id_token is encrypted when you save it to session. It should not be encrypted when you pass it to endsession endpoint!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants