I've been learning Auth0 for a React / React Native project. With two different apps now, including one from their site, I see the following behavior:
clear browser cache
login
enter password, now logged in
select logout
--> now logged out
select login
am NOT prompted for password again, just logged in without interaction.
It seems the session has been kept alive even though I logged out. I would expect that if I manually log out of an application, I must re-authorize with my password on the next login attempt.
As I said I've seen this twice now, once with my own project and once with the tutorial they provide at https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/ . Doesn't make any sense to me. Am I missing something?
Thanks ~~
This is the Seamless SSO behaviour explained here. This is now enabled by default on all tenants and it "seamlessly" logs the user in without showing any prompts if a session exists for the user in the Authorization server (Auth0 in this case). Previously you would get a prompt that said "Last time you logged in with ..." Clicking it would login you in without requiring a password.
If you are "Logging out" and yet you can log back in again without needing to enter credentials, the most likely explanation is that you are actually not calling the https://YOUR_AUTH0_DOMAIN/v2/logout endpoint which logs out the user by clearing their SSO cookie in Auth0. You can confirm this endpoint is called from Network tab in your browser when you click to logout.
The Auth0 React quickstart by default does not call the logout endpoint, it only removes the tokens from browser storage. To clear the SSO cookie and logout from IdP using Auth0.js you need to call the logout function as well. Refer to the Auth0.js logout function here.
Hope that helps.
Related
I am using MS Graph in a desktop application so I am hosting a web browser in a form for the user to do their initial login. This all works fine and I can fully use MS Graph.
The problem I have is if we need to use an account of a different user there does not seem to be a way to reset the login. If you try to login again with the hosted web browser it will go right through and allow the same user.
The only way to reset it for another user seems to be to go into IE and delete the history/cache. Then the login screen will ask a user to login again. It seems a bit extreme to reset the cache.
So is this the only way to do this or is there something I can change in the MS Graph API call to tell it to reset?
You can force re-authentication by added prompt=login to the sign-in request:
Prompt (optional)
Indicates the type of user interaction that is required. The only valid values at this time are login, none, select_account, and consent.
prompt=login will force the user to enter their credentials on that request, negating single-sign on.
prompt=none is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform endpoint will return an error.
prompt=select_account sends the user to an account picker where all of the accounts remembered in the session will appear.
prompt=consent will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.
OKTA-Shibboleth(Apache)-Nakisa(Tomcat)
SSO is working for logging-in.
Now, I need to configure Logout. So, user logs out from the app, user needs to be redirected to OKTA page with tiles.
But, currently,user is redirected to the app again.
It's sending user to /logout?redirect=default.html but that default.html is captured by Apache rule and logging user back in.
It looks like it needs to hit
https://xxxx/Shibboleth.sso/Logout. When I access this url, it says logout is successfully done although it's not going back to OKTA. Does that mean that in the App's logout setting, they need to redirect to this?
But, how do I make user to go back to IdP(i.e OKTA) again?
This is what I assume that will happen.
Logout button click > logout from Shibboleth > return to OKTA so user can click other tiles.
Something to configure Shibboleth2.xml?
Document says i just need to configure the following which is there by default.
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
But, how does it redirect user to OKTA(IdP) once user log out completes.
Is it configured in IdP's metadata ?
You can redirect the user after a local logout event anywhere you'd like, via passing the ?return= parameter a URL-encoded destination, i.e. you should update your logout link to:
https://xxxx/Shibboleth.sso/Logout?return=https%3A%2F%2Fgoogle.com
in order to redirect folks to Google once logout has taken place.
Now, you only need an Okta URL to return folks to... so I think if your client's Okta tenant is "foobar.okta.com", redirecting them after local logout to the Okta login page shouldn't prompt them to login, since they will already have the Okta Session... so maybe try:
https://xxxx/Shibboleth.sso/Logout?return=https%3A%2F%2Ffoobar.okta.com%2Flogin
Of course, you'll need to test that... but it should work, and on the off chance that the user's Shibboleth SP session was active, and their Okta session invalidated through some other mechanism, that'll just return them to their regular Okta login page.
You can obviously redirect them to any endpoint with the return parameter, for example, whatever Okta's logout URL (if you wanted to kill their Okta session too).
The only logout that's configurable by Metadata is SLO (single logout), i.e. if you wanted it to, Shibboleth can redirect the user to Okta after they complete the logout of the SP session, along with a specially-craft <LogoutRequest> assertion payload, which Okta would parse and act on in any number of ways, i.e. killing the user's Okta session, propagating Okta-initiated subsequent <LogoutRequest> assertions to other Service Providers, etc. In practice, this never really works, because such configurations are very difficult to get working between all of the relevant parties.
We have a B2C custom policy for authentication but I am having trouble getting a consistent complete logout. The only way I have been able to get a complete logout of single sign on is to use the common endpoint:
https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={our homepage}
Then when I login I see this
Then I click sign in and see this
but even this does not always work. Sometimes it does not redirect but just sits on the "you have been logged out" screen.
Using the logout endpoint given in our metadata endpoint does not work as expected. I see the sign in screen (first image) but I cannot choose which account to login with I just click the button to sign in. I assume this means single sign on logout has not worked.
https://login.microsoftonline.com/te/{tennant}/{b2c-policy}/oauth2/v2.0/logout?post_logout_redirect_uri={our homepage}
How can I either get the first one to work every time or the second one to logout completely?
EDIT: Sorry I should have mentioned I am using node.js/javascript but any url type solution will work also. Also we are using B2C so the application is registered on that tenant. There is no option for a lotout url on this page.
In order to logout the user from B2C, you need to redirect your user to the B2C logout endpoint, not to the common endpoint. This should look like:
https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_sign_in&post_logout_redirect_uri={your homepage}
Be sure you redirect the browser to that endpoint and don't try to do a GET through a back-channel, otherwise it will not do anything as the Single Sign-in mechanism is based on browser cookies.
Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc#send-a-sign-out-request
If I understand you correctly, you are trying to configure single sign out? This can be done but requires configuration separate from the sign-on configuration.
In the Accounts Controller you need to add a SingleSignOut action.
public ActionResult SingleSignOut(string redirectUri)
{
if (redirectUri == null)
ViewBag.RedirectUri = "https://localhost:44308/";
else
ViewBag.RedirectUri = redirectUri;
HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
return View();
}
See this tutorial and the accompanying repository.
This reference is also helpful.
I'm working on a project that has both a website and an app that use the same IdentityServer4 to authenticate users. On the website, when a user logs out, he gets a confirmation screen to ask whether he's sure he wants to log out.
The problem is that on the app, we can't show the logout prompt because, well, it's an app written in Xamarin and we can't redirect to the logout prompt page.
Is there a way to disable the logout prompt when the request comes from the app?
I had the same problem and I solved it. This was first google response so I decided to put my answer here for others to see.
Solution: Inside IdentityServer4 Quick start project logic is already there and ready to configure it for user needs.
Open SolutionName/Quickstart/Account/AccountOptions.cs
Set ShowLogoutPrompt to false
Set AutomaticRedirectAfterSignOut to true
I hope this will help, good luck.
The end session endpoint supports skipping confirmation if you pass a valid id_token_hint in the request.
The relevant spec is here: http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
If a valid id_token is passed (i.e. the one you got when you signed in) then the OP should skip confirmation, do the sign out and then allow the user to be redirected to the post logout redirect URL (if supplied).
I had an issue regarding the logout . Once i am done with my logout and it's not popping me agin to enter the user name and password , why is it so ?
ttps://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2-vanilla
https://github.com/sharmaritesh/spring-angularjs-oauth2-sample
is it not the expected behaviour ? If so please suggest me what to do when i want to do the complete logout that means we have to delete refresh tokens as well i guess. the reason of not asking the username and password in my perspective , It's refresh token is valid and once i click teh login button it directly redirects me to the greeting page with generating the new access token with the help of refresh token.
But i would like to do the complete log out i.e, once the use clicks the logout and user should be able to enter his credentials to get the new refresh token and access token irrespective of the old refresh token expiration.
I really appreciate your help..!!!!
Thanks
Prince
I would suggest posting all of the relevant HTTP traffic flow between client (browser) and server, both the redirects and "back end" traffic.
So, basically take the approach of knowing little about the actual implementation of the client and server, and just focus on the OAuth2 authorization code flow, its a protocol after all. Without this we'll be stabbing in the dark.
In terms of an answer, as a guess the client application may be passing a cookie to the authorization server and your just not seeing it. This is exactly what happened to me with Spring Boot and WSO2 IS 5.1.0