Previously we discussed how we will implement Token Renewal for our SPA and next we will discuss Logout requirements.
End Users and Logout
Most real users don’t care much about logout features, and are happy to just close their browser and login again when they prompted.
Testing as Different Users
Perhaps the most common reason why companies may want some type of logout functionality is just to support testing:
- It can be useful to be able to log in to your SPA as different test users with different permissions to corporate assets
Persistent Login Cookies
You Authorization Server or Identity Provider may use persistent cookies, in particular when you run your SPA on a mobile browser.
In this case, closing the UI may not log you out, and you may want to avoid having to ask test users to clear browser cookies.
For cases when users sign in automatically with LDAP credentials, the User Experience acts as though there is no login to your SPA:
In these cases it probably does not make sense to log out from the Identity Provider. You may choose to hide the Logout button, or just have a ‘Simple Logout’ that removes stored tokens.
Open Id Connect supports a more advanced type of logout, where logging out of one app can also raise an event to other apps. I don’t consider this an essential feature though, so we will not implement it.
The OIDC Client has a Session Monitor class that implements the Single Logout feature, if this is a feature you care about.
Basic Logout to Enable Testing
For our Code Sample we will implement Basic Open Id Connect Logout from Okta, without SLO, via an Open Id Connect logout redirect:
After logout the user will be returned to the Login Screen, or, as above, we can supply a Post Logout Redirect URI to return the user to an SPA view.
Open Id Connect Logout
If we try to do an OIDC Client logout with our current code sample then the logout attempt will fail due to a missing id_token_hint query parameter:
Vendors, Libraries and Logout
Open Id Connect Logout is only a draft standard, so Authorization Servers and Security Libraries may not implement it yet and some Authorization Servers will have a vendor specific solution.
Where Are We?
We have worked out the basic support for Logout we want, to enable testing. However, we need to fix the above Id Token problem.