ueberauth_auth0
ueberauth_auth0 copied to clipboard
achedeuzot
Should ueberauth_auth0 implement the logout?
When I logout from my application, I can login back to it without going to the Auth0 authentication page. I fixed that by calling Auth0 logout endpoint manually (https://auth0.com/docs/api/authentication#logout).
Perhaps that's not a general use case, but it is reasonable to restart the authentication process with Auth0.
So I was wondering if the library could implement this action? I can work on a PR if that's the case.
Hi @jorbs :)
Thanks for opening this issue. Your point is valid.
We have a similar logic in our own system but also additional logic (cleanup some session values, reset some other flags etc.).
I'm not sure we want people logging out from one app to be logged out from all other apps automatically. And I'm thinking about our use-case where a logout has associated business logic. So if we wanted to provide this with the library, we would need to have it opt-in through some option as well as a way of providing some callback to be called before and after a logout to execute some app-specific business logic.
What do you think ?
If it's not going to be added to the library in the future, could the readme or the example state that logout should be handled manually using Auth0's endpoint? Perhaps I should've checked the Github issues sooner, but I did spend quite some time Googling wondering why my logout wasn't working.
I'm not against adding it to the library 😄 OAuth2 flows aren't easy and logout implies multiple levels of logout: Application level (e.g. your elixir app), Auth0 level, Social sign-in provider (if you're using some).
So the thing to take into account with logout is that depending on use-cases, an auto-logout at auth0 might not be desired. This means the library should provide some kind of configuration to provide logout (or not).
I have multiple use-cases in mind:
You're using Auth0 as a Single Sign On solution
Let's say you login to your Auth0 account and get back to App1, you then switch to App2. You're now logged in on App1 and App2. You sign out of App1, but you still want to be logged in on App2. If we destroy the Auth0 session when you sign out of App1 automatically, you won't be able to refresh your session on App2 and will get logged out there too.
You're using social login through a Google Account
Let's say you login to Auth0 using a Google Account. You get asked by Google if you allow Auth0 to read some of your profile data. Your account on Auth0 gets created and you get redirect to your MyApp where you're logged in. You now want to logout: you logout from MyApp, and also logout from your Auth0 "session" but you're still connected to Google. So if you click on login again, you'll find yourself logged in on MyApp without being prompted for anything as your social login session is still valid and will allow Auth0 to re-create a session for you and send you back to MyApp with a valid authentication. Depending on the use-case, this might not be what you're expecting.
What now ?
In any case, OAuth2 flows aren't something trivial and there are lots of options and use-cases so taking a decision to log everyone out by default might not be what others expect or want.
I'm also not sure the documentation of ueberauth_auth0 should cover all caveats and subtleties of OAuth2 protocol but if you want, you can submit a pull request on the documentation and I'll be happy to merge it @ClarkAllen1556 😉
Cheers,
From a security standpoint I think killing your session with Auth0 is a must.
If I only clear the session in my app and then the user hits the login page again, they'll flow to Auth0 who will detect an active session and send them back to my app where it will log them in again.
Is there a scenario where you can log out a user out of your app locally, not kill the Auth0 session, but also not automatically log them back in just by visiting the login page?
It's definitely a tricky scenario; it would be nice if it was at least a configurable option.
Indeed, it's something we could add to the library but it should be configurable so if you don't want to destroy the whole auth session and only logout the user on one app, you can 😊