Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.signOut ignores state param when user is already logged out #1433

Closed
pljeskavica opened this issue Jul 10, 2023 · 3 comments
Closed

.signOut ignores state param when user is already logged out #1433

pljeskavica opened this issue Jul 10, 2023 · 3 comments
Labels
bug

Comments

@pljeskavica
Copy link

Describe the bug

Bug Description

The .signOut() method is responsible for closing a session, and clearing access and ID tokens. The signOut method takes the following options:

postLogoutRedirectUri - Setting a value will override the postLogoutRedirectUri configured on the SDK.
state - An optional value, used along with postLogoutRedirectUri. If set, this value will be returned as a query parameter during the redirect to the postLogoutRedirectUri

When the user is signed in, calling the signOut method works as expected, the user is redirected to the postLogoutRedirectUri with the state string as a query parameter.

When the user is not signed in, the signOut method ignores the state string, and redirects the user to the postLogoutRedirectUri with no query parameter.

Whats Expected

According to the documentation, the .signOut method requires a valid ID token:

Requires a valid ID token. If an ID token is not available, signOut will fallback to using the XHR-based closeSession method. This method may fail to sign the user out if 3rd-party cookies have been blocked by the browser.

In this scenario, the user is signed out, and the idToken has already been cleared from token storage, hence the sdk should fallback to using the closeSession method.

It is also documented, that if this fallback happens, we should expect signOut to return a promise with the result of closeSession:

If a fallback to closeSession is used, signOut() returns a promise that resolves with the result of closeSession (true if an existing Okta session have been closed or false if a session does not exist or has already been closed). Otherwise a promise resolves with true.

Reproduction Steps?

I have created a code sandbox with a working example: https://codesandbox.io/s/charming-snyder-z8x5vv?file=/src/App.tsx

Signout Code:

const signOut = async () => {
    try {
      const result = await authClient.signOut({
        state: "OktaSignoutState",
        postLogoutRedirectUri: window.location.origin
      });
      // If user is signed out signout should return false
      // https://github.com/okta/okta-auth-js#signout
      console.log({ result });
    } catch (e) {
      console.warn("Signout Failed and threw error");
      console.warn(e);
    }
  };

The result value is always undefined, right before the page is redirected back to the postLogoutRedirectUri.

You can use the test user for this client: [email protected] / Github123!

SDK Versions

@okta/okta-auth-js: 7.2.0

Additional Information?

No response
@shuowu-okta
Copy link
Contributor

Thanks for reporting the issue!
Internal Ref: OKTA-627412

@jaredperreault-okta
Copy link
Contributor

@pljeskavica Have you tested the return value of signOut in a local environment? I can see in the sandbox it returns undefined, but in a local test app it is correctly resolving false

@jaredperreault-okta jaredperreault-okta mentioned this issue Jul 27, 2023
Merged
@jaredperreault-okta
Copy link
Contributor

Resolved in #1439. Released in 7.4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pljeskavica @shuowu-okta @jaredperreault-okta