You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, I've only been playing with FusionAuth for a day and I'm loving it so far, particularly the documentation. It's set-up locally behind a Caddy reverse proxy at auth.localhost. The calling application is the Rust Actix using oauth example, which sits behind the same reverse proxy at company2.localhost. All functionality seems good, other than the following issue, so I don't think there's a problem with my setup.
The 'logout' button in the Rust example doesn't log the user out, as when you click 'login', it logs the user straight back in again. So I wanted to fix that as a good way of understanding all the flows. I believe I've set it up how the documentation describes it, but there are some weird things happening. The configured logout url for the application is http://company2.localhost.
This is the endpoint. It generates the correct URL as documented:
#[get("/logout")]
async fn logout(session: Session) -> impl Responder {
let logout_url = format!(
"{}/oauth2/logout?clientId={}",
env::var("FUSIONAUTH_URL").expect("TODO"),
env::var("FUSIONAUTH_CLIENT_ID").expect("TODO"),
);
let _ = session.remove("email"); # This seems to be a phony way of logging out.
HttpResponse::Found()
.append_header(("Location", logout_url.to_string()))
.finish()
}
I've tried both behaviours of logout: Redirect and All Applications and that doesn't seem to make a difference.
However two very odd things happen when calling this endpoint:
The redirect doesn't work when called from company2.localhost/logout as auth.localhost is returned. Calling the oauth logout url directly does redirect to the configured endpoint.
Direct logout call:
* processing: http://auth.localhost/oauth2/logout?client_id=b6903a7b-5f3c-4045-8d81-95ae5a1e6e6c
* Trying [::1]:80...
* Connected to auth.localhost (::1) port 80
> GET /oauth2/logout?client_id=b6903a7b-5f3c-4045-8d81-95ae5a1e6e6c HTTP/1.1
> Host: auth.localhost
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Content-Length: 0
< Location: http://company2.localhost
< Server: Caddy
< Set-Cookie: fusionauth.sso=AiW238Ed9LuEh7nIcEW_uIYy9UtWoxp4CO8Y0mImkYTh; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax
< Date: Tue, 16 Apr 2024 14:51:44 GMT
<
* Connection #0 to host auth.localhost left intact
* Issue another request to this URL: 'http://company2.localhost/'
* Trying [::1]:80...
* Connected to company2.localhost (::1) port 80
> GET / HTTP/1.1
> Host: company2.localhost
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 1168
< Date: Tue, 16 Apr 2024 14:51:44 GMT
< Server: Caddy
< Content-Type: text/html; charset=utf-8
Indirect call:
* processing: http://company2.localhost/logout
* Trying [::1]:80...
* Connected to company2.localhost (::1) port 80
> GET /logout HTTP/1.1
> Host: company2.localhost
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Content-Length: 0
< Date: Tue, 16 Apr 2024 14:56:12 GMT
< Location: http://auth.localhost/oauth2/logout?clientId=b6903a7b-5f3c-4045-8d81-95ae5a1e6e6c
< Server: Caddy
<
* Connection #0 to host company2.localhost left intact
* Issue another request to this URL: 'http://auth.localhost/oauth2/logout?clientId=b6903a7b-5f3c-4045-8d81-95ae5a1e6e6c'
* Trying [::1]:80...
* Connected to auth.localhost (::1) port 80
> GET /oauth2/logout?clientId=b6903a7b-5f3c-4045-8d81-95ae5a1e6e6c HTTP/1.1
> Host: auth.localhost
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Content-Length: 0
< Location: /
< Server: Caddy
< Set-Cookie: fusionauth.sso=AmcPoK_fBoGm6OpATC9Vr_tgPGw7aw75sw42ofCmMGvN; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax
< Date: Tue, 16 Apr 2024 14:56:13 GMT
<
* Connection #1 to host auth.localhost left intact
* Issue another request to this URL: 'http://auth.localhost/'
* Found bundle for host: 0x56499cbb7700 [serially]
* Can not multiplex, even if we wanted to
* Re-using existing connection with host auth.localhost
> GET / HTTP/1.1
> Host: auth.localhost
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-store
< Content-Type: text/html; charset=UTF-8
< Server: Caddy
< Set-Cookie: fusionauth.sso=Aqe4uiPe-JYB5rXLC9CKlDKDc6XRyfzVGU6BiosBHFgm; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax
< Date: Tue, 16 Apr 2024 14:56:13 GMT
< Transfer-Encoding: chunked
<
Even after all of this, the user isn't actually logged out. Calling the oauth logout url directly doesn't log the user out -- it redirects back to my application where the user is still logged in.
Please let me know if I need to provide any more information. Thank you!
Version
1.49.2
Affects Versions
No response
The text was updated successfully, but these errors were encountered:
It looks like you may be making the request to /oauth2/logout in code and not in the User Agent. Is that correct?
If that is correct, I would expect this to fail. The /oauth2/logout request will attempt to remove the SSO session cookie, but this cookie is a secure HTTP only cookie. So if you make this request from within code, it is effectively a cross origin request, and we will not have visibility to the SSO session, and as a result the session will not be revoked.
The only way to use the /oauth2/logout endpoint and have it revoke the SSO session is to make it in the User Agent in a first-party context.
To logout via code is considered a back channel logout. We don't directly publish a back channel logout mechanism through OAuth2, but you can always use the Refresh Token APIs to revoke session tokens which accomplishes this goal.
What happened?
Hello, I've only been playing with FusionAuth for a day and I'm loving it so far, particularly the documentation. It's set-up locally behind a Caddy reverse proxy at
auth.localhost
. The calling application is the Rust Actix using oauth example, which sits behind the same reverse proxy atcompany2.localhost
. All functionality seems good, other than the following issue, so I don't think there's a problem with my setup.The 'logout' button in the Rust example doesn't log the user out, as when you click 'login', it logs the user straight back in again. So I wanted to fix that as a good way of understanding all the flows. I believe I've set it up how the documentation describes it, but there are some weird things happening. The configured logout url for the application is
http://company2.localhost
.This is the endpoint. It generates the correct URL as documented:
I've tried both behaviours of logout: Redirect and All Applications and that doesn't seem to make a difference.
However two very odd things happen when calling this endpoint:
company2.localhost/logout
asauth.localhost
is returned. Calling the oauth logout url directly does redirect to the configured endpoint.Direct logout call:
Indirect call:
Please let me know if I need to provide any more information. Thank you!
Version
1.49.2
Affects Versions
No response
The text was updated successfully, but these errors were encountered: