How to properly signout from IDP server?
dszy579 opened this issue · 2 comments
I've configured a single logout with auth.signoutRedirect() with a logout button in the UI.
Here is my configuration:
auth config
export const oidcConfig: AuthProviderProps = {
client_id: '...',
authority: '...',
redirect_uri: '...',
metadata: {
issuer: '...',
authorization_endpoint: '...',
token_endpoint: '...'
end_session_endpoint: '/oauth2/logout',
frontchannel_logout_supported: true,
frontchannel_logout_session_supported: true,
},
automaticSilentRenew: false,
monitorSession: true,
post_logout_redirect_uri: '...',
onSigninCallback: () => {
window.history.replaceState({}, document.title, window.location.pathname)
},
}
logout implementation:
const onLogout = async () => {
await auth.signoutRedirect()
window.sessionStorage.clear()
}
When the user clicks the logout button, the web app will trigger auth.signoutRedirect() and clear the session storage related to oidc:user. and will be redirected to the IDP logout page to show that the user has successfully signed out.
But, when the user tried to access the web again it seemed like it wasn't completely logged out. I noticed that the web still got the authorization code params automatically on the browser which then makes the user stay logged in.
Any idea why this happened? how to properly logoff the user completely from the app and IDP?
Hello, did you use auth.removeUser() with auth.signoutRedirect() ?
Here is my implementation
onClick={() => {
auth.removeUser();
auth.signoutRedirect({ id_token_hint: auth.user?.id_token });
}}