Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ExpressOIDC - 'post_logout_redirect_uri' not being passed correctly during Logout #12

Open
2 of 5 tasks
CallSign-Filter opened this issue Aug 25, 2021 · 4 comments
Open
2 of 5 tasks

ExpressOIDC - 'post_logout_redirect_uri' not being passed correctly during Logout #12

CallSign-Filter opened this issue Aug 25, 2021 · 4 comments

Comments

@CallSign-Filter
Copy link

I'm submitting this issue for the package(s):

  • jwt-verifier
  • oidc-middleware

I'm submitting a:

  • Bug report
  • Feature request
  • Other (Describe below)

Current behavior

When hitting the /logout endpoint, it is correctly routed through the oidc.router and sends me to my Okta page to sign me out of Okta. But then I am getting a collision. My Sign-out redirect URI is correctly set here:
image
But I am not catching my endpoint on my application (I am trying to clear some cookies and destroy the session)

app.get('/clearSession', function (req, res) {
	req.session.destroy(function(err){
		if(err){
			console.log('Could not clear session: ' + err);
			res.redirect('/profile')
		}else{
			console.log('Clearing Session and redirecting home');
			res.clearCookie('jwt');
			res.redirect('/')
		}
	});
})

You can see that I am sending the post_logout_redirect_uri parameter correctly here:
image

But the call immediately after it, the post_logout_redirect_uri is changed to http://localhost:8080/
image

Which leads me to this page here:
image

Expected behavior

The redirect URI is the same in my Okta settings, what is sent in the /login query, and my endpoint so it should call my endpoint on returning from signing out of Okta

Minimal reproduction of the problem with instructions

Environment

  • Package Version: 4.2.0
  • Browser: Chrome
  • OS: Catalina
  • Node version (node -v): 14.15.1
  • Other:
@arvindkrishnakumar-okta
Copy link

@aarongranick-okta @shuowu-okta Can you help take a look?

@CallSign-Filter
Copy link
Author

Any chance someone could look at this, sorry to be impatient but trying to work around it is killing my logout flow? @aarongranick-okta @shuowu-okta

@shuowu-okta
Copy link
Contributor

@CallSign-Filter While we are working on a fix for this issue, you can try okta-auth-js as a workaround.

OIDC sample: https://github.com/okta/okta-auth-js/tree/master/samples/generated/express-web-with-oidc
Non-OIDC sample: https://github.com/okta/okta-auth-js/tree/master/samples/generated/express-web-no-oidc

Internal Ref: OKTA-424753

@froyoga
Copy link

froyoga commented Sep 29, 2021

@CallSign-Filter I figured out a workaround that doesn't require adding another dependency. I'm using the Express 4.x handle function in the app.get() that I use to clear my local session to call the oidc-middleware /logout endpoint. This will achieve your objective of logging your user out of both your local session and also Okta.

app.get('/clearSession', function (req, res) {
	req.session.destroy(function(err){
		if(err) {
			console.log('Could not clear session: ' + err);
			res.redirect('/profile')
		} else {
			console.log('Clearing Session and redirecting home');
			res.clearCookie('jwt');
			res.redirect('/');
		}
	});
	
	req.url = "/logout";
	req.method = "POST";

	app._router.handle(req, res, next);
})

Here's the source to where I got this answer from: https://stackoverflow.com/a/48820849/2644547

@denysoblohin-okta denysoblohin-okta transferred this issue from okta/okta-oidc-js Oct 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@CallSign-Filter @shuowu-okta @arvindkrishnakumar-okta @froyoga