Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signOut: clear TokenManager and provide options for revoke and redirect #288

Merged
merged 1 commit into from
Dec 2, 2019

Conversation

aarongranick-okta
Copy link
Contributor

@aarongranick-okta aarongranick-okta commented Nov 19, 2019

  • Current behavior is preserved with default options

  • Passing a postLogoutRedirectUri will use post logout redirect flow

  • Automatically reads idToken from TokenManager

  • Can manually specify idToken for advanced/custom scenarios

  • If postLogoutRedirectUri is specified, redirect logic will happen even if idToken is not available

  • Clears TokenManager on signOut. All OIDC sdks have been doing this step before calling signOut. The server-side redirect method requires an idToken, so the TokenManager should not be cleared before calling signOut(). The call to tokenManager.clear() can be removed from the SDKs once they are using this version.

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
packages/okta-auth-js/lib/browser/browser.js Outdated Show resolved Hide resolved
packages/okta-auth-js/lib/browser/browser.js Outdated Show resolved Hide resolved
Copy link
Contributor

@robertjd robertjd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No concerns over the way we're exposing the options to the developer. I do want us to make another pass as the README.

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
packages/okta-auth-js/lib/browser/browser.js Outdated Show resolved Hide resolved
Copy link
Contributor

@robertjd robertjd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Final README comments, then LGTM 👍

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated
* Will change the `window.location` to an Okta-hosted page before redirecting to a URI of your choice.
* No issue with 3rd-party cookies.
* Requires a `postLogoutRedirectUri` to be specified. This URI must be whitelisted in the Okta application's settings.
* Requires a valid `idToken`. If the `idToken` is invalid or session does not exist the redirect may end on a 400 error page from Okta. This error will be visible to the user and cannot be handled by the app.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this true? I thought only a non-whitelisted post_logout_redirect_uri gave errors

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, good catch. I see that an invalid session does not produce an error. I'll see if I can suss out any other error conditions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation here lists some error conditions (including invalid id_token), I'll try to repro: https://developer.okta.com/docs/reference/api/oidc/#error-conditions

@aarongranick-okta aarongranick-okta changed the title signOut: clear TokenManager and provide options for redirect signOut: clear TokenManager and provide options for revoke and redirect Nov 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants