Awkward OAuth logout in mobile app
-
Hi all,
We're trying to figure out a nice logout experience for our mobile app users and we're struggling a bit.
Where we're at
We've got a mobile app setup to auth users with FusionAuth + OAuth + JWTs. When the users log in we pop open the /oauth/authorize URL in an in-app-browser which closes/redirects back to the app after login. So far so good.
For logout we send a DELETE /api/jwt/refresh request to revoke the user's refresh token and clear tokens from the local keychain.
The problem
We also want to kill the user's FusionAuth SSO session on logout, but not all application sessions. The only way we've figured out how to do this is to set the app's OAuth "Logout behavior" to "Redirect only" and then open /oauth2/logout in our in-app-browser when the user logs out. The problem is that this results in the browser popping open and then immediately closing after the session is revoked. This will look unnecessary/confusing/broken to the user.
Questions
- Are we doing something really wrong, or is this a reasonable issue to be facing?
- Is there a way to revoke the SSO session with an API call, or is the GET request essential for clearing cookies?
- If the GET request is essential, is there a way we can get FusionAuth to show some sort of "Logout successful" message before redirecting so opening the browser doesn't feel pointless from a UX perspective?
Thanks!
-
Hi @elliotdickison, thanks for writing in!
I'll answer your questions one at a time here:
Are we doing something really wrong, or is this a reasonable issue to be facing?
- You aren't doing anything wrong. By default, FusionAuth logs out of all applications that are configured with SSO. There are some detailed guides on how this happens here and here.
Is there a way to revoke the SSO session with an API call, or is the GET request essential for clearing cookies?
- You can potentially configure the Logout URL in your code to only end the session for the one particular application, and not redirect to a global
/endsession
endpoint. There is no way to revoke the SSO session without theGET
request, as we need to remove the cookies. I supposed we could provide an API to kill the session, but we don't have that. Please feel free to file an issue with this request.
If the GET request is essential, is there a way we can get FusionAuth to show some sort of "Logout successful" message before redirecting so opening the browser doesn't feel pointless from a UX perspective?
- We don't have a 'logout successful' message at this time, but my suggestion would be to do a redirect to a custom
/logoutsuccessful
view before closing the browser window.
I hope this helps, please let me know if there is anything else I can do!
-
I think you can modify oauth2_logout.ftl template by creating a custom theme to achieve what you need.
The way logout from multiple apps works in FA is that oauth2_logout template is creating iframe for each application with its logout URL and at the same time it is using <meta http-equiv="Refresh" ... to redirect to a final logout page after a few seconds.
Above means that you can eg. stop FusionAuth redirection by just removing meta equiv tag and display logout successful message then. You can also change / disable logging out from other applications by not creating iframes in this template.
I suppose that you'd only need such customizations if you're logging out from your mobile application so you can possibly detect in the template which application are you logging out, eg. like: [#if application?? && application.name?? && application.name == "myappname"] and change the default behaviour then.
I've not tested this so might be that it will not be doable due to some issues but seems to me it can work.
-
@maciej-wisniowski We ended up going with your solution and it's working alright, thanks for that!
@robotdan One suggestion for you all: I found the naming of the "AllApplications" value for the application.oauthConfiguration.logoutBehavior setting a bit confusing. As far as I can tell all the "AllApplications" value it really means is "show the OAuth2 logout page". That page can be used to log out of all apps (that's the default template behavior), but it doesn't have to be used that way. Per the suggestion from @maciej-wisniowski we are using the page to log the user out of only one app and show a "successfully logged out" message. Maybe to avoid a breaking API change the value "OneApplication" could be added in addition to "AllApplications" and "RedirectOnly". That value could use the same OAuth 2 logout template but maybe set a variable that could be used to conditionally turn off the logout-of-all-apps behavior. Just a thought.
-
@elliotdickison said in Awkward OAuth logout in mobile app:
@maciej-wisniowski We ended up going with your solution and it's working alright, thanks for that!
@robotdan One suggestion for you all: I found the naming of the "AllApplications" value for the application.oauthConfiguration.logoutBehavior setting a bit confusing. As far as I can tell all the "AllApplications" value it really means is "show the OAuth2 logout page". That page can be used to log out of all apps (that's the default template behavior), but it doesn't have to be used that way. Per the suggestion from @maciej-wisniowski we are using the page to log the user out of only one app and show a "successfully logged out" message. Maybe to avoid a breaking API change the value "OneApplication" could be added in addition to "AllApplications" and "RedirectOnly". That value could use the same OAuth 2 logout template but maybe set a variable that could be used to conditionally turn off the logout-of-all-apps behavior. Just a thought.
Thanks for the suggestion @elliotdickison - please do open a GH issue with this suggestion and how you'd like the logout to behave in your use case.