Comments (6)
SteelPangolin
commented on August 15, 2024
Good question.
Assuming a cooperative browser, yes. This would be appropriate for a logout link. Note that because of the way OpenID works, the user will simply be logged back in next time they visit the site, unless they also log out of the IdP as well (see the "single sign-out problem").
If this isn't desired behavior, you can force the user to go through the IdP again:
- Modify the cookie validation code to always check for stored credentials under that
sub(OpenID subject). - Delete a user's credentials from the credentials store when they log out.
Assuming a hostile/defective browser or stolen cookie, that alone won't do it, because a browser or other user agent could ignore cookie expiration and retain the cookie. It'll eventually stop working when the signed expiration time passes, but can be used until then. So we'd need to implement something suitable for a "log me out everywhere" scenario.
Some possibilities to deal with this:
- Store a counter in the token cookie and in the credential store. Always check the cookie's counter value when validating the cookie. When a user logs out, increment the stored counter. Now cookies generated before the logout are invalid.
- Every time a new cookie is generated, also generate a unique ID. Store it in the cookie and in the credential store. Always check the cookie's unique ID when validating the cookie. When a user logs out, delete all the stored unique IDs. Now cookies generated before the logout are invalid. This is similar to the counter approach.
- The user may also selectively invalidate cookies by unique ID if you provide an interface for it. Each unique ID could be stored alongside a browser fingerprint, geolocation, etc. so that the user can see where they're logged in. For an example, see Google's Devices & Activity page.
from flask-oidc.
RangeVsRange
commented on August 15, 2024
Note that because of the way OpenID works, the user will simply be logged back in next time they visit the site
This is a problem with @check. It's okay for some views. However, in my application, I have some views that I want to be available either authenticated or anomymously. If the user is logged in, I want to show them additional information - at the very least an 'account' menu that includes their name. If the user is not logged in, I don't want to annoy them by sending them to Google, just to view this page.
As a developer, the use case for me here is that someone who is logged in and viewing an authenticated page can 'share' the page via Facebook etc., and then anyone who clicks through from Facebook etc. gets the smoothest possible user experience.
Anyway, back to the original question: I was referring to user-initiated logout, not app-initiated logout / premature session expiry. It's a simpler problem, I think. What I'm doing at the moment, and I think you said this approximately correct, is:
response = redirect(url_for('home_page'))
response.set_cookie(OIDC.id_token_cookie_name, expires=0)
return response
For completeness, here's my is_authenticated method, which I'm using in some places instead of @check:
def is_authenticated():
"""
Is the user authenticated with OpenID Connect?
"""
if request.cookies.get(OIDC.id_token_cookie_name, None) is None:
# Otherwise OIDC gets a little confused
return False
else:
return OIDC.authenticate_or_redirect() is None
from flask-oidc.
puiterwijk
commented on August 15, 2024
I have just added an oidc.logout() function, which will ensure log outs for cooperating browsers by expiring and emptying the cookie.
I will look into adding OpenID Connect Single Logout, and also logout for non-cooperating browsers, in the near future.
Also, with the new version you will also get the ID token if your API does not require authentication.
To indicate this, the check function has been renamed to require_login with a backwards compatibility later for check.
from flask-oidc.
sacx
commented on August 15, 2024
Hi,
I'm pretty new with this stuff, but I succeeded to have a full logout calling end_session_endpoint url which is provided by OpenID connect configuration. In this way, the session is also cleaned from your openid provider so it doesn't matter if your cookie is valid or not.
https://openid.net/specs/openid-connect-session-1_0-17.html
I'm using keycloak as a oidc provider.
from flask-oidc.
skt7
commented on August 15, 2024
For keycloak the following worked for me -
@app.route('/logout')
@oidc.require_login
def logout():
refresh_token = oidc.get_refresh_token()
oidc.logout()
keycloak_openid.logout(refresh_token)
response = redirect(url_for('login'))
return response
I used python-keycloak library to logout from keycloak, you can find more details here - https://github.com/marcospereirampj/python-keycloak
from flask-oidc.
1zg12
commented on August 15, 2024
I have just added an oidc.logout() function, which will ensure log outs for cooperating browsers by expiring and emptying the cookie. I will look into adding OpenID Connect Single Logout, and also logout for non-cooperating browsers, in the near future.
Also, with the new version you will also get the ID token if your API does not require authentication. To indicate this, the check function has been renamed to require_login with a backwards compatibility later for check.
I have tried this recently, the logout still not working. I am using version 1.4.0.
from flask-oidc.
Related Issues (20)
- ERROR:flask_oidc:Expecting value: line 1 column 1 (char 0)
- flask oidc not redirecting to the application url HOT 1
- Unable to install flask-oidc version 1.4.0 on WSL HOT 1
- authorized registration isn't possible with oidc-register
- Deprecated oauth2client HOT 3
- itsdangerous 2.1.0 removed JSONWebSignatureSerializer HOT 1
- Add resource parameter to sent authorization URI HOT 1
- Clarification of discover_OP_information
- custom
- Is this repo dead? Anything we could help? HOT 1
- ImportError: cannot import name 'JSONWebSignatureSerializer' from 'itsdangerous' HOT 19
- Unable to provide access token to client registration endpoint
- Unable to pip install from pull request HOT 2
- Errors during token validation because ADFS does not support introspection URL
- Flask oidc supports keycloak multi Relams
- Audience check ignored if no audience available in access token
- Bypass of "require_login()" leads to application crash(obviously)
- 2.0.0 now requires userinfo_uri HOT 1
- PLEASE depreciate the puiterwijk/flask-oidc repo HOT 3
- Is the logout route hardcoded? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-oidc.