Await Logout till endSession is complete in logout

[pgangwani]

Issue and Steps to Reproduce

In logout we have below steps

1. revoke access token
2. revoke refresh token
3. endsession (idtoken)
4. Either soft redirect / refresh the session or
5. or redirect to oidc server logout url

As 4 or 5 are exclusive steps , I am expecting async logout to await till all promises resolve including endSession. I am thinking to get below case worked

Currently what is happening that if I am writing the window.location.href after await of logout, endSession request is cancelled. I need to redirect to logout to kill the session fully as per our oidc server. Attached below screenshot

Versions

7.18.1

Screenshots

Expected

Await(revoke(AT), revoke(RT), endSession(idToken)).then (() => custom redirect);

Actual

Await(revoke(AT), revoke(RT)).then (() => custom redirect); and endSession(idToken) is cancelled

Additional Details

PLease let me know if I am missing something

• Installed packages:

[guillaume-chervet]

Hi @pgangwani ,

Thank you for your issue. I think it is due to the window.open. i have understand what to fix. I may do it tommorrow morning.

[pgangwani]

Hi @pgangwani ,

Thank you for your issue. I think it is due to the window.open. i have understand what to fix. I may do it tommorrow morning.

Thanks, I willl be waiting

[guillaume-chervet]

I forgot to tell you @pgangwani that version 7.18.3 should fix the bug :)

[pgangwani]

I forgot to tell you @pgangwani that version 7.18.3 should fix the bug :)

I will give it a test

[pgangwani]

@guillaume-chervet I tested above, it is redirecting to the post_redirect_uri after logout but not to the oidc server logout page as it is happening in https://black-rock-0dc6b0d03.1.azurestaticapps.net/. Is there a setting in oidc to goto loggedout page ? I actually wanted endSession to be called and then await to be resolved so that I can manually redirect to logout of the oidc server. Thoughts?

[guillaume-chervet]

hi @pgangwani , does you oidc server support endSessionEndpoint ?

https://github.com/AxaFrance/oidc-client/blob/3a145799098bbc64f7619a217f9854795becc50b/packages/oidc-client/src/logout.ts#L131

[pgangwani]

hi @pgangwani , does you oidc server support endSessionEndpoint ?

https://github.com/AxaFrance/oidc-client/blob/3a145799098bbc64f7619a217f9854795becc50b/packages/oidc-client/src/logout.ts#L131

Yes it does.

[pgangwani]

I need to understand what is the extra setting required at OIDC server level ? How is your example app using duende redirecitng to duende's logout with just mention of post_redirect_uri: '/profile' ?

[guillaume-chervet]

Hi @pgangwani , some extra are defined as oidc standards and some other are specific to some oidc provider.

Do you still have some problem with logout?

[pgangwani]

provider

My problem was solved by my own hack of await logout();redirect(logoutUrl) but organically logging out like in your example. For which I raised this issue.

[suwarnoong]

Hi, I am as well facing this issue in v7.22.8.

I have the oidcServerConfiguration.endSessionEndpoint configured. I could see the end-session endpoint in Network tab. However, before it could finish, it is immediately calling auth endpoint. As the result, the end-session endpoint is cancelled.

I tried to debug locally by adding some logs:

It seems like the window.location.href is called twice, end-session and auth endpoints.

Can you take a look at this issue?

[guillaume-chervet]

Hi @pgangwani which browsers are you using?

I think I am staring to understand to issue. To understand well you run log out from a secured part of your app which automaticaly rerun a login ?

[suwarnoong]

Hi @guillaume-chervet, I am using Chrome v126.0.6478.116

Yes, I called the logout method from useOidc hook in the secured part of my app. It redirected to the end-session endpoint. Before it could finish, it redirects to auth endpoint endpoint, hence end-sesion redirection is cancelled.

[pgangwani]

@suwarnoong @guillaume-chervet any help is required from me ? I still see this as an issue.

I think I am staring to understand to issue. To understand well you run log out from a secured part of your app which automaticaly rerun a login ?

[suwarnoong]

@pgangwani yes, it is still an issue for me as well on latest (v7.22.9).

Could you share your own-hack for this?

[guillaume-chervet]

Does it work with version 7.22.13? @pgangwani @suwarnoong

[suwarnoong]

It is still the case for 7.22.13, the end-session get cancelled before it could complete.

I am using pretty old version 6.10.9 which works well with end-session endpoint, but I have other issue with session expired event for multiple tabs, which is fixed in v7.15.4

Not sure if all these logs could help to trace something.

Here is some snapshot of my code looks like

OidcApp.tsx

export const OidcApp: FC = () => {
  return (
    <OidcProvider
      configuration={oidcConfig}
      authenticatingComponent={OidcAuthenticating}
      authenticatingErrorComponent={OidcError}
      callbackSuccessComponent={OidcCallbackSuccess}
      sessionLostComponent={OidcSessionLost}
      onEvent={(configuration: string, name: string, data: any) => {
        if (name === "token_timer") return;
        console.log("onEvent", configuration, name, data);
      }}
    >
      <OidcAppInternal />
    </OidcProvider>
  );
}

const OidcAppInternal: FC = () => {
  const { isAuthenticated } = useOidc();

  if (!isAuthenticated) {
    return <PublicApp />;
  }

  return <PrivateApp />;
}