Logout logs out from IDP, not from RP
RubenVerborgh opened this issue · 6 comments
When I call logout or logoutRequest, I will get logged out of the IDP I logged in with, but not out of the RP I logged in to.
This issue manifests in what manner regarding pod interactions? Is there a workflow that demonstrates this problem?
Flow examples:
- Login and Logout -- basic authentication flow
- Login, Create something, assign an ACL, test ACL -- authorization flow
- Login and Logout and test ACL -- authorization flow across multiple webids .
Workflow:
- Log in to https://solid.community with an https://inrupt.net account
- Log out on https://solid.community
Expected result: you are logged out on https://solid.community (and possibly https://inrupt.net)
Actual result: you are logged out on https://inrupt.net but still logged in on the server side of https://solid.community
Cause: a POST request to https://inrupt.net/logout happens, but no request to https://solid.community
I assume the following screenshots demonstrate the problem:
-
https://www.pinterest.com/pin/389561436516048253/ -- https://solid.community/logout (this should be https://solid.openlinksw.com:8444/logout
-
https://www.pinterest.com/pin/389561436516048256/ -- https://solid.community/logout
-
https://www.pinterest.com/pin/389561436516048259/ -- https://solid.community/goodbye
Basically, there are two logouts scoped to https://solid.community which reveals the problem.
/cc @cblakeley
@RubenVerborgh /cc @kidehen: I'm not clear about your instructions and the expected result in #21 (comment)
I tried this test...
- I first cleared Local Storage for cmsblakeley.solid.community and any cookies under https://cmsblakeley.solid.community
- Logged into https://solid.community
- On page https://cmsblakeley.solid.community, clicked the 'Log in' button
- Selected 'Custom provider' in the login popup and logged into https://inrupt.net
Local storage for https://cmsblakeley.solid.community then shows RP registration data for provider https://inrupt.net under key 'solid-auth-client'. There's also a session key in the RP data in local storage which holds valid session data including webId "https://cmsblakeley.inrupt.net/profile/card#me"
When I click the 'Log out' button on https://cmsblakeley.solid.community, I see two logout calls to https://inrupt.net/logout (I'm not sure why there are two), then a redirect to /goodbye.
After logging out, there are two cookies for https://cmsblakeley.solid.community, one connect.sid for domain .inrupt.net, one connect.sid for domain .solid.community (both expiring tomorrow). Local storage has been updated so the session key for provider https://inrupt.net is now null; so this session has been cleared. It looks like I've been logged out of https://inrupt.net.
After logout, I'm left at page https://https://cmsblakeley.solid.community/ (This is the public homepage ...). What should I be seeing at this point?
I see two logout calls to inrupt.net/logout (I'm not sure why there are two)
Weird, I just have one.
It looks like I don't have any permissions for this repo... Could someone assign this issue to me?