Description
Hi,
I am not sure if this should be considered a bug, or if is maybe a missunderstanding. I have been using this library with Auth0 for years without problem, but since last week at least I detected a problem with the logout.
I am not sure but it seems that Auth0 has started returning end_session_endpoint on openid-configuration, this is important because until now he have been using this as:
export const authConfig: AuthConfig = {
[...]
// Logout URL, we have to log out from IdP (Identity Provider) also to remove cookies and so on
// https://auth0.com/docs/api/authentication?javascript#logout
logoutUrl: `https://${environment.AUTH_DOMAIN}/v2/logout?client_id=${environment.AUTH_CLIENT_ID}&returnTo=${returnTo}`,
[...]
}But if I am not wrong, if end_session_endpoint is provided by the openid-configuration it replaces the configured logoutUrl see https://github.com/manfredsteyer/angular-oauth2-oidc/blob/master/projects/lib/src/oauth-service.ts#L558, causing the logout() method ot redirect to that URL, instead of the configured.
As far as I have seen the key diference is:
- /v2/logout: The one in my config, is specific for Auth0, is intended to work with the cookie based session
- /oidc/logout: The one that came from
openid-configuration, is OIDC conformant. and needs anid_token,sidor similar.
So, adding postLogoutRedirectUri could solve the issue:
export const authConfig: AuthConfig = {
[...]
postLogoutRedirectUri: returnTo`,
[...]
}But in my use case when a user has an expired password, the login is denied via Auth0 Action. This causes:
- No
id_tokenprovided to the client, only a redirect with an error message - An active cookie on Auth0, because the user entered a valid password
This Auth0 cookie disallows the user to entering the Auth0 login window, where the reset password is, and sends the to the error page once again.
So maybe the problem is Auth0, for now I have done the following in order to emulate what the library, I think, should do:
-this.oauthService.logOut();
+localStorage.removeItem('PKCE_verifier');
+localStorage.removeItem('access_token');
+localStorage.removeItem('access_token_stored_at');
+localStorage.removeItem('expires_at');
+localStorage.removeItem('granted_scopes');
+localStorage.removeItem('id_token');
+localStorage.removeItem('id_token_claims_obj');
+localStorage.removeItem('id_token_expires_at');
+localStorage.removeItem('id_token_stored_at');
+localStorage.removeItem('refresh_token');
+localStorage.removeItem('session_state');
+const params: HttpParams = new HttpParams({
+ fromObject: {
+ client_id: this.oauthService.clientId,
+ returnTo: this.oauthService.postLogoutRedirectUri
+ }
+});
+location.replace(`https://${environment.AUTH_DOMAIN}/v2/logout?${params.toString()}`);To Reproduce
Steps to reproduce the behavior:
- Create an Auth0 tenant
- Add an action like
exports.onExecutePostLogin = async (event, api) => {
api.access.deny(`Your password too old`);
}- With your Angular application, login, and you will be redirected to the error page on your application
- On that error page, try to execute
logout(), it will cause an error on Auth0 or say the that the url is not in the "Allowed logout URL"
Desktop (please complete the following information):
- OS: Any
- Browser: At lest Chrome, but I would say any
- Version: 19.0.0
If there is anything else I can help, just let me know, thanks!