Logout issues

[kroksys]

Hi.

I'm not able to figure out how to sign out using this library. Revoke is not working for me and after sending generateLogoutUrl() using http.get request I'm able to call my API as it never happened.

How can I clear tokens manually? What am I doing wrong?

[edihasaj]

Any news on this ?

[edx-mohamed-khamis]

same here

[dinahapuque]

Same here. Any updates?

[joaopaulichi]

Im not able to logout too

[hudsoncadan]

It works for me:

urlLauncher(credential.generateLogoutUrl().toString())

[xmartinez22]

any updates on how to log out?

[xmartinez22]

somehow the 'state' needs to be cleared out my guess

[alexisgaziello]

As mentioned by by @hudsoncadan

After authozing, you get an object of type Credential.

This object has a method generateLogoutUrl that you can get from your preferred pkg to log out.

// Log in
credential = await authenticator!.authorize();

// Log out
final url = credential.generateLogoutUrl();
http.get(url!);

[rbellens]

It is not sufficient to do a http get request of this url, but you should instead open it in the same browser as used for signing in so that any cookies or other persistent data is removed.

The examples in the example directory now uses the logout functionality. So, have a look there.

[npodbielski]

@rbellens

The examples in the example directory now uses the logout functionality. So, have a look there.

You mean this?

It is not really a logout operation. You do not call any oauth endpoints. If there is logout endpoint available it should call it. You just 'forgot' the user data in your application.

I tested it with provider that have only revoke endpoint and calling it actually works - tokens are destroyed on the provider side. I am not like an OpenId expert but I am pretty sure that this way it makes more sense.

[rbellens]

It's a long time ago, but I think I actually meant this one: https://github.com/appsup-dart/openid_client/blob/92a9a055c62c3b302d70a401ef872b5b9dba6f21/example/browser_example/web/main.dart#L35 It is only in the web example. However, you should be able to use the same principle in flutter. But you are right that removing the own storage is insufficient and it should be added in the flutter example as well.

[npodbielski]

@rbellens

authenticator.logout();

well, unless I do not know something flutter version of Authenticator does not have logout method.

[rbellens]

true, but you can call the required things directly from Credentials

[alexisgaziello]

@rbellens

It is not sufficient to do a http get request of this url, but you should instead open it in the same browser as used for signing in so that any cookies or other persistent data is removed.

Why would you need to remove the cookie? My understanding is that if you logout through the auth backend endpoint, the cookie becomes invalid, hence even if not removed from the original browser, it can't be used to verify that the user is logged in.

[rbellens]

To my understanding, the logout url should be opened in a browser. This will open a webpage of the authorization server. Either it will logout the user immediately or first ask for consent. Anyway, to complete the process of logging out, the javascript on the page should be executed and redirects should be followed etc. Therefore, the url should be opened in a browser and it is not sufficient to do a get request on the url. You might be right on the cookies thing. I guess, it depends on how the openid authorization server implements things. But I think, the web page might need access to previously stored data, either cookies or local storage, if not to delete it, then at least to read it. So, I do believe, at least for some implementations, it might be required to use the same browser.

[selimq]

are there any news ?