Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Sign out does not clear SSO token

See original GitHub issue

Looking at the code, I don’t see Sign Out being properly implemented. There is a way to remove the user tokens from the local cache, but it does not appear to invoke the system web view to hit the end_session_endpoint endpoint value. That may leave the cookie between the system and the device valid such that a subsequent authenticate call may not prompt for credentials.

Seems like the end_session_endpoint value should be read from the OIDC metadata and then invoked on a sign out?

Issue Analytics

State:
Created 6 years ago
Reactions:18
Comments:20 (7 by maintainers)

Top GitHub Comments

7reactions

frolificcommented, Jun 25, 2020

Any update on this? IMO, this should not be marked as an enhancement - it’s a defect that can potentially lead to PII issues.

4reactions

bgavrilMScommented, Aug 2, 2019

Hi @shripathi-kamath - you have some control over the browser by using the .WithPrompt method. AFAIK Prompt.ForceLogin will always force the user to enter their password.

var result = await pca.AcquireTokenInteractive(_scopes)
                        .WithPrompt(Prompt.ForceLogin)
                        .ExecuteAsync()