Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Difficulties obtaining idToken needef for /logout endpoint #964

Open
kaobg opened this issue Apr 24, 2024 · 7 comments
Open

Difficulties obtaining idToken needef for /logout endpoint #964

kaobg opened this issue Apr 24, 2024 · 7 comments

Comments

@kaobg
Copy link

kaobg commented Apr 24, 2024

Issue

Not sure if this is classified as a bug or I'm missing something, but in the documentation it is stated that we can only use the autorization code flow, which is fine.

But then for /logout endpoint it is stated that:

It requires an idToken, obtained after successfully authenticating with OpenID Connect, and a URL to redirect back after the logout has been performed.

However, I can't find any way that I can set the response_type to include the 'code id_token' for the /authorize endpoint. The default response_type gets set to 'code' and the server does not return the idToken, which I can then later use for the logout. Because of this I end up sending some invalid string for the idToken param in /logout, which creates problem for the post logout redirect and as a result I end up having to close the custom tab manually after the log out has been completed.

Please let me know if I'm missing anything with the supported logout flow.

Environment

  • Your Identity Provider: IdentityServer 4
  • Platform that you're experiencing the issue on: Android
  • Your react-native Version: 0.73.0
  • Your react-native-app-auth Version: 7.1.3
  • Are you using Expo?: No
@carbonrobot carbonrobot added the needs-triage Waiting for a member of the team to confirm label May 2, 2024
@faizplus
Copy link
Contributor

faizplus commented May 6, 2024

This seems to be config issue for IdentityServer 4 and is unrelated to this open source library and falls under general development help.

@faizplus faizplus closed this as completed May 6, 2024
@faizplus faizplus removed the needs-triage Waiting for a member of the team to confirm label May 6, 2024
@carbonrobot carbonrobot reopened this May 6, 2024
@carbonrobot
Copy link
Contributor

@kaobg Does your code differ from our Identity Server 4 example?

https://github.com/FormidableLabs/react-native-app-auth/blob/main/docs/config-examples/identity-server-4.md

If so, can you tell me what options you are using or provide a code example?

@kaobg
Copy link
Author

kaobg commented May 18, 2024

@carbonrobot
Hello, it differs in that I'm not using the revoke endpoint, I'm using the logout endpoint

const authConfig = {
   issuer: "{issuer}",
   postLogoutRedirectUrl: "com.myapp:/ouath2redirect"
}
... 
await logout(authConfig, {
      idToken: ?, // mandatory paramter - check my comment below
      postLogoutRedirectUrl: authConfig.postLogoutRedirectUrl
});

The 'idToken' parameter is mandatory, however I have no way of obtaining it at login because the authorize response type is set to 'code' only internally in the react-native-app-auth library. I think it should be 'code id_token'.

So that leaves me with just using the revoke() method as in the sample you provided
As is, the logout() method cannot be used, unless I'm missing something.

@kaobg
Copy link
Author

kaobg commented May 18, 2024

Keep in mind that if you pass some invalid value for idToken, IdentityServer will display a logout page in the custom tab on which you have to make an extra click to confirm the logout. And it will not follow the PostLogoutRedirectURL in this case. Which is something I would like to avoid obviously.

@carbonrobot
Copy link
Contributor

@kaobg We don't set the scope internally, you can supply that with your configuration as follows. The scopes determine what the OIDC endpoint will return when you call authorize, but the server also needs to be configured to allow that scope. Technically, OIDC specification does not require the id token, but Identity Server only follows the spec loosely.

const config = {
  issuer: 'https://demo.identityserver.io',
  clientId: 'native.code',
  redirectUrl: 'io.identityserver.demo:/oauthredirect',
  scopes: ['openid', 'profile', 'offline_access']
};

Keep in mind that Identity Server endsession endpoint requires a redirect to a browser url, this is their API design and nothing we can change.

ID4 docs: https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html

@kaobg
Copy link
Author

kaobg commented Jun 30, 2024

@carbonrobot sorry for the very late response.

From the spec:

If a valid id_token_hint is passed, then the client may also send a post_logout_redirect_uri parameter. This can be used to allow >the user to redirect back to the client after sign-out.

That's exactly the behavior I want to achieve, it's fine that we need to open a browser for the endsession but after the session has been successfully ended I want to make use of the post logout redirect uri (which I can't do without supplying an id_token, hence my original question).

@davidfeldt
Copy link

I had a similar issue using the authorize endpoint. Kept getting "net.openid.appauth.AuthorizationException: Invalid ID Token" error on physical device. I discovered that it was related to the device not having the correct date/time setting so the id token was seen as invalid. This had nothing to do with a bug / issue with the react-native-app-auth library!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidfeldt @carbonrobot @kaobg @faizplus