Skip logout prompt for IdentityServer4 - identityserver4

I'm working on a project that has both a website and an app that use the same IdentityServer4 to authenticate users. On the website, when a user logs out, he gets a confirmation screen to ask whether he's sure he wants to log out.
The problem is that on the app, we can't show the logout prompt because, well, it's an app written in Xamarin and we can't redirect to the logout prompt page.
Is there a way to disable the logout prompt when the request comes from the app?

I had the same problem and I solved it. This was first google response so I decided to put my answer here for others to see.
Solution: Inside IdentityServer4 Quick start project logic is already there and ready to configure it for user needs.
Open SolutionName/Quickstart/Account/AccountOptions.cs
Set ShowLogoutPrompt to false
Set AutomaticRedirectAfterSignOut to true
I hope this will help, good luck.

The end session endpoint supports skipping confirmation if you pass a valid id_token_hint in the request.
The relevant spec is here: http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
If a valid id_token is passed (i.e. the one you got when you signed in) then the OP should skip confirmation, do the sign out and then allow the user to be redirected to the post logout redirect URL (if supplied).

Related

Safaricom dashboard does not show all the test credentials

I am working on Safaricom Daraja API B2C but some of the required test credentials are not displayed in the Safaricom Dashboard.
As you can see above, the initiator name and security credentials are not provided yet they are needed in the B2C API call.
How do I get these credentials.
EDIT:
This question was asked before Safaricom upgraded to the new Daraja Dashboard. The problem has now been sorted
Apparently, for some unknown reason to us, Safaricom chose to hide the test credentials and if you need them, you have to write them an email at apisupport#safaricom.co.ke and request for the test credentials. You will get a response in less than an hour with shortcodes and initiators that you can use for test.
Source -> https://survtechnologies.co.ke/get-test-credentials-safaricom-m-pesa-daraja-api/
The test Credentials are on the simulator link, bottom right redirects to the link.
Please try this with the new mpesa portal2.0 - It is straight-forward

auth0 does not require password after logout; logs back in without password

I've been learning Auth0 for a React / React Native project. With two different apps now, including one from their site, I see the following behavior:
clear browser cache
login
enter password, now logged in
select logout
--> now logged out
select login
am NOT prompted for password again, just logged in without interaction.
It seems the session has been kept alive even though I logged out. I would expect that if I manually log out of an application, I must re-authorize with my password on the next login attempt.
As I said I've seen this twice now, once with my own project and once with the tutorial they provide at https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/ . Doesn't make any sense to me. Am I missing something?
Thanks ~~
This is the Seamless SSO behaviour explained here. This is now enabled by default on all tenants and it "seamlessly" logs the user in without showing any prompts if a session exists for the user in the Authorization server (Auth0 in this case). Previously you would get a prompt that said "Last time you logged in with ..." Clicking it would login you in without requiring a password.
If you are "Logging out" and yet you can log back in again without needing to enter credentials, the most likely explanation is that you are actually not calling the https://YOUR_AUTH0_DOMAIN/v2/logout endpoint which logs out the user by clearing their SSO cookie in Auth0. You can confirm this endpoint is called from Network tab in your browser when you click to logout.
The Auth0 React quickstart by default does not call the logout endpoint, it only removes the tokens from browser storage. To clear the SSO cookie and logout from IdP using Auth0.js you need to call the logout function as well. Refer to the Auth0.js logout function here.
Hope that helps.

B2C Tenant Not Logging Out

We have a B2C custom policy for authentication but I am having trouble getting a consistent complete logout. The only way I have been able to get a complete logout of single sign on is to use the common endpoint:
https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={our homepage}
Then when I login I see this
Then I click sign in and see this
but even this does not always work. Sometimes it does not redirect but just sits on the "you have been logged out" screen.
Using the logout endpoint given in our metadata endpoint does not work as expected. I see the sign in screen (first image) but I cannot choose which account to login with I just click the button to sign in. I assume this means single sign on logout has not worked.
https://login.microsoftonline.com/te/{tennant}/{b2c-policy}/oauth2/v2.0/logout?post_logout_redirect_uri={our homepage}
How can I either get the first one to work every time or the second one to logout completely?
EDIT: Sorry I should have mentioned I am using node.js/javascript but any url type solution will work also. Also we are using B2C so the application is registered on that tenant. There is no option for a lotout url on this page.
In order to logout the user from B2C, you need to redirect your user to the B2C logout endpoint, not to the common endpoint. This should look like:
https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_sign_in&post_logout_redirect_uri={your homepage}
Be sure you redirect the browser to that endpoint and don't try to do a GET through a back-channel, otherwise it will not do anything as the Single Sign-in mechanism is based on browser cookies.
Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc#send-a-sign-out-request
If I understand you correctly, you are trying to configure single sign out? This can be done but requires configuration separate from the sign-on configuration.
In the Accounts Controller you need to add a SingleSignOut action.
public ActionResult SingleSignOut(string redirectUri)
{
if (redirectUri == null)
ViewBag.RedirectUri = "https://localhost:44308/";
else
ViewBag.RedirectUri = redirectUri;
HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
return View();
}
See this tutorial and the accompanying repository.
This reference is also helpful.

How to logout from Google Account using AngularJS

I'm writing an app that uses Google API to authenticate with G+ account in our app.
Currently the customer wants on logging out not only revoke access token for our application but also log out from Google Account used to authenticate.
The solution I've come with was:
/**
* Signs the user out.
*/
HeaderCtrl.prototype.signOut = function() {
// this part revokes token
$http.jsonp('https://accounts.google.com/o/oauth2/revoke?token=' +
accessToken, {
params: {
callback: 'JSON_CALLBACK',
format: 'json'
}
}).success( /* Do stuff on success */);
// this part logs out from google account
$http.jsonp('https://accounts.google.com/logout');
};
The second call works but logs an error on response processing:
Refused to execute script from 'https://accounts.google.com/logout' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
What ways to log out from Google account using AngularJS would you use?
you should not log out your users from Google, they certainly don't want it anyway. Thus, https://accounts.google.com/logout should never be reached.
What you actually want is to make them log out from your website. Revoking the token should be enough for Google authentication's side (your website won't assume the client is logged from to his old token)
Once signOut method is called, just consider he isn't logged any more and end the session in your website.
I think you are tring to do many things that are not related to a "normal logout" experience.
Maybe you should talk to your "customer" to clarify the user stories he/she wants.
A normal logout is one line of js (source) :
gapi.auth.signOut();
If I'm not wrong, what you are doing first in your code (ie revoking the access token), is something that provides an option to remove the association between the account on your app and the google account used for sign-in. As indicated on the link, you must provide this option to the user to follow the g+ developer policies but it's not the same as signing out. Maybe you should try, as a user, these two feature on a site providing a g+ sign-in, such as stack overflow. (Be sure to know your password before revoking the g+ association.)
And for the log out of Google, your app should not do it, and Google should not provide you a way to do it. (And I'd rather think that it's impossible.)
However you can kindly remind your user, after log out, that he/she may need to log out from Google too. Try to log out from stack overflow and look at what happens.

How to Remove immediate Google Plus Login with Gplus button render/

As per google doc:
When the google sign in button is loaded, it immediately checks to see if the user has authorized the application. This check is called "immediate mode" and if successful, the Google servers return an access token and pass a new authorization result object to the callback. If the button cannot make an immediate-mode authorization, the user must click the sign-in button to trigger the access flow.
My Google Plus signin button is part of header and on logout the home
page is loaded,It again renders google plus button resulting in
automatic login. User is never logged out due to this. How is it
possible to allow login when when G Plus button is clicked and not
when when the G Plus buttom reders itself?
The 'immediate' parameter did it for me, although it has the same affect as 'approvalprompt', prompts for consent. Facebook seems to handle these options a little better.
gapi.signin.render("splashGPlusReg", {
'callback': GPSignInCallback,
'clientid': '<yourclientId>',
'cookiepolicy': 'single_host_origin',
'immediate': false,
'requestvisibleactions': 'http://schemas.google.com/AddActivity',
'scope': '<scopes>'
});
You have two ways to Remove immediate Google Plus Login.
1- not a good approach: use data-approvalprompt="force" in your button. I wrote an example below:
<span id="signinButton" >
<span
class="g-signin g-link"
data-callback="signinCallback"
data-clientid="*****.apps.googleusercontent.com"
data-cookiepolicy="single_host_origin"
data-scope="https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.profile.emails.read"
data-approvalprompt="force"
style= "cursor:pointer;">
Login With Google
</span>
</span>
It is not a good approach because if you add this, then Google ask a user to give one extra permission for offline access. So it may let user won't signup at all because of this permission.
2- better approach: just signout from Google after receiving response in your signincallback function. just add:
gapi.auth.signOut();
You should write this line after you received the response. It is better to keep it as a last line inside the request.execute(function(resp) function.
By adding this code, Google won't render the login unless someone click on the login button.This approach is recommended by Google too.
I found a way to do this, maybe it's exactly what you want too:
disable automatic authentication for Google+ social sign-in
It's not the cleanest fix, but you can try filtering on the status.method property of the authResult passed into the callback.
Filter any callbacks that are triggered with authResult.status.method set to AUTO, but process any that are null (logged in via single authorized Google account) or PROMPT (user chose one of several Google accounts).

Resources