angular-auth-oidc-client icon indicating copy to clipboard operation
angular-auth-oidc-client copied to clipboard
verified publisher icon damienbod

[Bug]: Google logout doesnt work

Open Yurosh1 opened this issue 2 years ago • 4 comments

Version

15,0,4

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

There is no error, I am logged it, I know i am because of the CheckAuthMultiple method, The google config has isAUthenticated set to true. But when I call logout method. nothing happens. I am not redirected nor is there a refresh. I follow the sample closely and it still doesnt work. AAD config and flow works fine. Google messes up the logout.

Steps to reproduce the behavior

No response

A clear and concise description of what you expected to happen.

I have two configs, one for Azure AD another for google, and I am unable to logout using this method

this.authService.logoff(configId).subscribe(result => console.log(result));

Result is null.

Additional context

No response

Yurosh1 avatar Apr 24 '23 11:04 Yurosh1

Logging off doesn't work for me. @damienbod I call .logoff(), and subscribe to get a result. The result is null, and when I refresh the page, .checkAuth() still is giving me valid authentication. So it seems .logoff() might be doing nothing? (also using Google)

Using .logoffAndRevokeTokens() gives me this: image

cyraid avatar Jul 03 '23 15:07 cyraid

google identity provider does not support logout, can't fix this on the client.

Greetings Damien

damienbod avatar Jul 03 '23 16:07 damienbod

google identity provider does not support logout, can't fix this on the client.

Greetings Damien

Oh okay! Thanks for the quick reply Damien.

cyraid avatar Jul 03 '23 17:07 cyraid

They do however have a revocation endpoint. So I guess you should distinguish between providers with and without revocation endpoints and then logoff locally with .logoffLocal() to clear your storage up.

With Google in particular, it seems that you only have to/shall revoke the refresh_token since doing so will revoke the access token to (at least it fails for me when revoking access after refresh). This might be according to the protocol, but I'm not sure enough of the OIDC flow to say so.

In the same manner, you can distinguish between providers that actually supply and endSessionEndpoint and logoff locally or at the server.

E.g.

if (config.authWellknownEndpoints?.revocationEndpoint) {
  // revoke
} else {
  // skip revoke
}

if (config.authWellknownEndpoints?.endSessionEndpoint) {
  // logoff against the server
} else {
  // logoff locally
}

origooo avatar Sep 11 '23 10:09 origooo