Once the user logout he still see all list of accounts which were recently logged in. Is there any way to clear the list and cache completely. I am using .Net core razor pages
Below is the screen he sees after logout. So i want page to appear without any recently logged in account
This is happening because the session cookie of user information is still saved for your browser.As the Gaurav mentioned in the comment adding prompt=login in your login URL will always help in forcing the user to new login page without display of user information as it will clear the session cookie.
Related
I have implemented OAuth using GitHub on my web app, so when I log in using GitHub I get logged in successfully. I wanted to know how to implement logout so that I get logged out of the web app.
when the user visits www.localhost:3000/login and clicks login/signup with GitHub, the user gets redirected to the GitHub login page, user logs in with his/her GitHub account and gets redirected to localhost:3000/homepage,
I sent a cookie from the server side for session purposes and get a cookie from GitHub (don't know why).
when I clear cookies from localhost:3000 and visit localhost:3000/login and hit login with the GitHub button I get logged in with the previously signed-in user account automatically. However, when I clear all cookies from www.github.com and do the same, this time it prompts the user to log in with the git account again.
I have not used any external library like passport.js for OAuth and also I don't want to use any.
so how to implement this logout that logs out of the GitHub OAuth session?
What you want is "single log-out" whereby logging out from your application also logs out from GitHub. But the relevant specification has been finalized only in September 2022 and I could not find any mention of it at docs.github.com. Perhaps this is also not desired, since GitHub sessions are long-lasting: Revisiting github.com with the same browser after a few days does not require a re-logon.
But as an alternative to logging out from GitHub upon logout from your application, you could require a renewed consent upon re-login to your application. If you have already been logged in once to your application via GitHub and then visit
https://github.com/login/oauth/authorize?scope=user:email&client_id=...
you are re-logged in silently. But if you visit
https://github.com/login/oauth/authorize?scope=user:email&client_id=...&prompt=consent
instead, the GitHub consent screen re-appears. (The parameter prompt=consent is not documented on docs.github.com, but is explained here.)
Perhaps that is sufficient to satisfy your requirement.
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
I am using Microsoft authentication for user but I don't want to keep the user credentials to be saved in cookies so that it should ask every time performing a particular action in application.
I have created a simple web app with external authentication from Microsoft but when a user gets signed in it doesn't ask user for credentials from second time and redirect to RedirectUrl directly because user information is already there in Cookies. Normally this behavior looks fine but I have certain tasks in my Web App which needs authentication from External Source (Microsoft) every time these tasks get performed by user. I tried setting token lifetime in Azure but it says lifetime can not be lesser than 10 minutes.
Note: I can't call signout user because it is not a silent signout.
How can I achieve it?
You can set prompt=login parameter in the authentication request. Then the user should be prompted to re-authenticate even if the user has already been authenticated.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code#request-an-authorization-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-js-prompt-behavior
I make users login to my chrome extension through my own OAuth2 API which uses google signin, through chrome.identity.launchWebAuthFlow with interactive set to true, and it works fine, user is prompted to sign in with google account, I get redirect url in my extension's background script, parse access token from it and everything is fine until I need to logout this user and make it possible to sign with other account.
When I try running chrome.identity.launchWebAuthFlow with interactive set to true again, nothing pops up, but redirect url is returned in background and access token is picked up for previously logged in user, so I'm unable to make my users switch account.
Is there any solution for this?
I haven't used chrome.identity.launchWebAuthFlow, but I think your question is similar to "How do I log out of a chrome.identity oauth provider".
Among the answers:
use launchWebAuthFlow with the logout url https://accounts.google.com/logout
revoking the token with https://accounts.google.com/o/oauth2/revoke?token=TOKEN
Adding &prompt=select_account into the url
As I said, I haven't used launchWebAuthFlow yet, but I wanted to help by showing you an already answered question
I have a ASP.NET MVC5 web app that uses Identity Framework 2.0 for user administration. On the authenticated side of our app, the users fill out a series of forms, and then are sent through a Docusign in-session powerform. (Docusign Embedded Signing, powerform, url) When the users are finished signing I have set-up callback url's for successful signature and declined to sign events. The successful signature callback is located in the area of my app that requires users to be authenticated, once they get redirected to my site though they are logged out, although they were logged in before they left. I have persistent logins set to true in my login and register action methods, as well as sliding expiration set up on my cookies. Fiddler indicates that when the users are called back from docusign the .AspNet.ApplicationCookie has a different value than before they left.
This only occurs the FIRST time the users are sent to docusign. If a user repeats the process for a second time they are already logged into my site when they get redirected by docusign and the cookie is unaltered.
I'll be closely monitoring this thread, if you have any questions or need clarification or code examples I will gladly provide.
Thank You Wiktor Zychla for pointing out cross-site scripting rules regarding domains and cookies.
The issue was with 30x redirects and set-cookie.
Safari has a bug - documented here
and SO has questions regarding it here
I was having Docusign redirect back into an authenticated area of my site, without the cookies the users were not authenticated therefor they were prompted to login. This did not occur any time there-after because the cookie was already set in place.
My solution was to redirect from external to a public landing page, which then redirected them to the intended authorized page. (since the cookies were set on the public page, they get passed to the authorized page, and the persisted login succeeds)
I also got tripped up with cookies and domains (I was redirecting to www.mysite.com instead of mysite.com)