logout questions

dan · 8 Mar 2020, 18:00

I've got a question about logout.

When logging in using the /oauth2/token route with the auth code grant, it seems the /api/logout route does not revoke the refresh token.

Is intended? Is the best way to log out in this case is with the /ouath2/logout route? How does that know which user to log out? there's no user id or refresh token property in the body.

dan · 8 Mar 2020, 18:01

Yes, this is intended. This logs the user out by killing their HTTP session. It is all handled with cookies.

Revoking Refresh Tokens is considered a back channel logout which we don’t support in the OAuth portion of things. But you can use /api/logout if you want - it is just designed to remove cookies.

https://fusionauth.io/docs/v1/tech/apis/login#logout-a-user

The purpose of the /oauth2/logout is to remove the SSO session, and call each of your configured logout URLs per application.

These logout URLs then would do whatever “logout” means for you. It may be removing your own HTTP session, or removing a refresh token for a particular application(s). Then the final step is to redirect to the final URL.

sswami · 23 Aug 2020, 19:37

@dan: "...call each of your configured logout URLs per application."

Do we have many logout URLs?

As you suggested, /api/logout removes cookies, what should I do to remove the SSO Session from the Native App itself?

Basically, from the Android App, when we call /api/logout & remove any locally saved state info, and then redirect to the Login page, as the FusionAuth session is still active, it just redirects back to the Consent screen and therefore back to the Application. Literally making the user not able to switch the accounts, until the fusionauth session is terminated.

If /api/logout doesn't end the fusionauth session, I am left with only 1 option (with as much I've understood)

Logout Action in the app.
Redirects to FusionAuth SSO Page
Redirects back to the Custom Consent Screen (as FA session is active)
I add a "LOGOUT COMPLETELY" button redirecting to /oauth2/logout page with post_logout_uri to /signin-back page (containing a single button "Sign In Again")
FA Logout Progress
Redirects to /signin-back
Signin Back Button action to APP
Finally APP opens, checks AuthState to be false
Authroize() redirects to /oauth2/login

But I sincerely feel, this is too much, am I mistaken somewhere? There must be some best practices, which I want to know.

Thank you

dan · 24 Aug 2020, 13:44

when we call /api/logout & remove any locally saved state info

Can you try to send the user to /oauth2/logout directly? They'll be returned to the logout URL configured in the application. Will that not work?

sswami · 24 Aug 2020, 15:09

Hello Dan!

Aah! that should work, with still having the /signin-back button to take me to the app.

Thanx

bekeanloinse · 12 Mar 2024, 07:54

@dan said in logout questions:

've got a question about logout.
When logging in using the /oauth2/token route with the auth wordle code grant, it seems the /api/logout route does not revoke the refresh token.
Is intended? Is the best way to log out in this case is with the /ouath2/logout route? How does that know which user to log out? there's no user id or refresh token property in the body.

Regarding user identification during logout, the OAuth 2.0 specification doesn't define a standard logout endpoint. Logout processes are often application-specific, and the mechanism to identify the user being logged out might depend on the authentication framework or technology being used.