Outline not invalidating login token on firefox
RichardLourens opened this issue · 5 comments
I have connected outline with our local ADFS service. I have set the outline "OIDC_LOGOUT_URI" parameter to point to our ADFS logout endpoint, which correctly invalidates the ADFS token. However, while using firefox, when I return to outline, the user is still logged in. If i go to my same outline instance with chrome and login + logout there aswell, the login token is succesfully deleted and both browsers have logged out the user correctly.
When looking at the cookie access token value, using the browser developer tools, I can see that it remains the exact same after logging out and back in on firefox. Which isn't the case on chrome.
To Reproduce
Steps to reproduce the behavior:
- login with ADFS on firefox
- logout with ADFS on firefox
- return to outline and notice the user is still logged in
- Login + logout with ADFS on chrome.
- The user is now correctly logged out of outline.
Expected behavior
Expect outline to remove the access token for the user when pressing the logout button on firefox.
Outline (please complete the following information):
- Install: self hosted
- Version: 0.75.2
Desktop (please complete the following information):
- OS: Ubuntu 22.04
- Firefox 123.0 (64-bit)
- Chrome 120.0.6099.224
Hi RichardLourens,
This sounds like expected behavior – logging out on ADFS does not immediately cancel any associated Outline session (It can't, there is no webhook), but the session will be checked at a maximum of every 5 minutes. I think this is what you're seeing here
Hi tommoor, thanks for the response. I forgot to add some information, my apologies. This behaviour is explicitly only seen on Firefox. When I logout using chrome, the user is correctly and instantly logged out, returning to outline sends me back to the outline login screen. (which is what I expect to happen).
If it were as you state, I would expect the user to also still be logged in on chrome after pressing the logout button, which isn't the case.
Or am I misunderstanding somehting?
You did include this information about Firefox. As I stated before – logging out on ADFS will not immediately log you out on Outline in any browser. If it does so, it's just by coincidence – the session is checked when you load the app upto a maximum of once every 5 minutes, at which point you may become logged out.