logout button under authorize popup is not clearing cookies session

[arunsethu88]

Q&A (please complete the following information)

• OS: Windows
• Browser: All browsers
• Version: all versions
• Method of installation: through Java Spring boot Maven
• Swagger-UI version: https://mvnrepository.com/artifact/io.springfox/springfox-swagger-ui/3.0.0
• Swagger/OpenAPI version: Swagger 2.0, OpenAPI 3.0

Content & configuration

Swagger Configuration Java Code:

    @Bean
	    public OpenAPI customOpenAPI() {
	    	final String securitySchemeName = "Basic Auth";

	    	return new OpenAPI()
	    			.addSecurityItem(new SecurityRequirement().addList(securitySchemeName))
	    			.components(
	    					new Components()
	    					.addSecuritySchemes(securitySchemeName,
	    							new SecurityScheme()
	    							.name(securitySchemeName)
	    							.type(SecurityScheme.Type.HTTP)
	    							.scheme("Basic")
	    							.in(SecurityScheme.In.HEADER)
	    							)
	    					)
	    			.info(new Info()
	    					.title(name)
	    					.description(description)
	    					.termsOfService("")
	    					.version(version)
	    					.license(new License()
	    							.name("Apache 2.0")
	    							.url("http://www.apache.org/licenses/LICENSE-2.0.html"))
	    					.contact(new io.swagger.v3.oas.models.info.Contact()
	    							.email("abc@xxxxx.com")));
	    }

Maven :

<dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-oas</artifactId>
            <version>3.0.0</version>
        </dependency>
        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger-ui</artifactId>
            <version>3.0.0</version>
        </dependency> 

Describe the bug you're encountering

Logout button doesn't clear browser cookies session

To reproduce...

Steps to reproduce the behavior:

1. Open Swagger Docs page.
2. Click on "Authorize" button.
3. Enter Username and password for basic auth.
4. Click "Authorize"
5. Getting proper expected output for given authentication credentials.
6. To logout, it should clear browser session cookies.
7. But it is not clearing browser cookies after click logout.
8. Because of not clearing browser cookies, it is using old credentials for all REST API call.

Expected behavior

When I click logout, it should clear session in browser.

[dane-ls88]

@arunsethu88
Hi, the same situation here? Did you get a solution until now?

[imrangthub]

Same here, any solution ?

[dwadghane]

same issue in asp.net core as well.

[AmilkarDev]

same issue here , any news ?

[imrangthub]

Found a solution...!

Check out the link

https://stackoverflow.com/questions/71866266/swagger-ui-spring-security-and-oauth2-project-logout-button-doesnt-clean-sessio

[mathis-m]

Or do it via the plugin api:

const MyLogoutPlugin = () => ({
  statePlugins: {
    auth: {
      wrapActions: {
        logout: (internalLogoutAction) => (keys) => {
          // here, you can run the logout request.
          console.log("Logout from following securities:", keys)
          return internalLogoutAction(keys) // don't forget! otherwise, Swagger UI won't logout
        }
      }
    }
  }
})

[RichardWilburn]

Curiously I found that I had to use window.location = url in order to clear the cache for using Azure b2c. I couldn't use a javascript style request such as xmlHttpRequest unfortunately (only tested this with chrome); but its close enough to solving things for me when combined with the swagger UI plugin described above. Perhaps that is specific to Azure AD as an issue.

[unopcpavilion]

@mathis-m could you please provide a example how can I get access token in plugin context to send logout request. I use OAuth2 implicit flow for authorization

[mathis-m]

@unopcpavilion you could overwrite the logout reducer. There you get the state in and you can find the original code here: https://github.com/swagger-api/swagger-ui/blob/master/src/core/plugins/auth/reducers.js#L60

As you can see there the authorized prop of the state is accessed it should contain all information like access key. Just try to log to console.

For the plugin find here an example on how to add a reducer: https://swagger.io/docs/open-source-tools/swagger-ui/customization/plugin-api/

[damilpanchal]

Hi all, Are there any updates on this issue?
I am trying to plugin the solution that @mathis-m proposed but no luck. I am using Swashbuckle.AspNetCore.SwaggerUI v6.4.0 and the only option that I see is SwaggerUIOptions.InjectJavascript. I tried adding the plugin as a .js file however it does not do the intended.

@mathis-m Do you have an example of how this can be achieved in Swashbuckle.SwaggerUI?

Any help is appreciated. thanks

[mathis-m]

Hi all, Are there any updates on this issue?

I am trying to plugin the solution that @mathis-m proposed but no luck. I am using Swashbuckle.AspNetCore.SwaggerUI v6.4.0 and the only option that I see is SwaggerUIOptions.InjectJavascript. I tried adding the plugin as a .js file however it does not do the intended.

@mathis-m Do you have an example of how this can be achieved in Swashbuckle.SwaggerUI?

Any help is appreciated. thanks

Probably you want to provide your own index HTML file and add the plug-in there like described in the docs.

To do so see: https://github.com/domaindrivendev/Swashbuckle.AspNetCore#customize-indexhtml