Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent logout, login without cache token #4335

Closed
bumbel42so opened this issue Dec 22, 2021 · 5 comments · Fixed by #4450
Closed

Silent logout, login without cache token #4335

bumbel42so opened this issue Dec 22, 2021 · 5 comments · Fixed by #4450
Assignees
@hectormmg
Labels
feature Feature requests. msal-angular Related to @azure/msal-angular package msal-browser Related to msal-browser package

Comments

@bumbel42so
Copy link

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.20.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.0.6

Description

Hi guys,
i have a little special use case: I have a signed in user in my application, but the app requires also an four eyes principle. So I have to aquire a token(which will be checked in backend) for a second user with prompt login.
This is where my problems start:
If i aquire the token for the second user, the second user stays logged in and i have to show the logout page where the second user must interactivate again.
Currently this is a security issue, because if logout is not properly executed it is possible to sign in to all microsoft services via SSO
So i look for a solution to aquire a token without being cached or an option to logout silent. Can you help me please?

MSAL Configuration

auth: {
    clientId: 'XXX',
    authority: 'https://login.microsoftonline.com/XXX/',
    redirectUri: '/',
    postLogoutRedirectUri: '/logout'
  },

  cache: {
    cacheLocation: BrowserCacheLocation.SessionStorage,
    storeAuthStateInCookie: false
  }

Relevant Code Snippets

this.msalSvc.acquireTokenPopup({ loginHint: user.userPrincipal, prompt: 'login', scopes: ['api://XXX/sign']} as PopupRequest).subscribe({
...
this.msalSvc.instance.logoutPopup({ account: response.account, postLogoutRedirectUri: null});

Identity Provider

Azure AD / MSA

Source

External (Customer)
@bumbel42so bumbel42so added the question Customer is asking for a clarification, use case or information. label Dec 22, 2021
@ghost ghost assigned jo-arroyo Dec 22, 2021
@ghost ghost added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Dec 22, 2021
@github-actions github-actions bot added msal-angular Related to @azure/msal-angular package msal-browser Related to msal-browser package labels Dec 22, 2021
@jo-arroyo
Copy link
Collaborator

@bumbel42so We are currently working on a feature to improve the logout experience, and will have documentation when it is ready. In the meantime, you can try setting the browser cache location to BrowserCacheLocation.MemoryStorage so tokens are not persisted across page loads.

@ghost ghost added answered Question has received "first qualified response" Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Dec 27, 2021
@ghost
Copy link

ghost commented Jan 1, 2022

@bumbel42so This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

@ghost ghost added the no-issue-activity Issue author has not responded in 5 days label Jan 1, 2022
@bumbel42so
Copy link
Author

@jo-arroyo I tried it with cacheLocation: BrowserCacheLocation.MemoryStorage and storeAuthStateInCookie: true but the SSO problem that i can login via SSO on other sides remains. Any other ideas for a workaround?
Do you have a timeline for the improved logout experience?

@ghost ghost added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author no-issue-activity Issue author has not responded in 5 days labels Jan 7, 2022
@tnorling tnorling added the feature Feature requests. label Jan 10, 2022
@ghost ghost removed question Customer is asking for a clarification, use case or information. answered Question has received "first qualified response" Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jan 10, 2022
@tnorling
Copy link
Collaborator

@bumbel42so The silent sign-out feature is committed but we don't have an ETA to share at the moment. We will link the pull request containing this feature when it is ready so that you can track its progress. New versions of our libraries are released on the first Monday of every month.

@tnorling tnorling mentioned this issue Jan 13, 2022
Closed
@jasonnutter
Copy link
Contributor

Assigning to @hectormmg, who will be working on this.

@jasonnutter jasonnutter assigned hectormmg and unassigned jo-arroyo Jan 24, 2022
@hectormmg hectormmg linked a pull request Jan 28, 2022 that will close this issue
[msal-browser] Add support for logout_hint #4450
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hectormmg hectormmg

Labels
feature Feature requests. msal-angular Related to @azure/msal-angular package msal-browser Related to msal-browser package
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[msal-browser] Add support for logout_hint AzureAD/microsoft-authentication-library-for-js
5 participants
@jasonnutter @hectormmg @tnorling @jo-arroyo @bumbel42so