We have to give our users the option to sign out of our application. This would require them to log back in for further use. However, it appears the auth0 session cookie is not deleted for some reason when implementing the https://YOUR_AUTH0_DOMAIN/v2/logout?returnTo=http%3A%2F%2Fwww.example.com.
Even though the redirect works, the user is automatically logged back in after calling webAuth.authorize(); while you would expect to be asked to re-enter your credentials.
Calling this function for the first time, the user is required to enter username and password. However, they are never required again until the token expires.
Unfortunately, even the examples provided (via download section) do not address this. Wondering if this is even possible but it seems like the Auth0 website itself handles it correctly.
Here is the code example:
var logoutBtn = document.getElementById('vwLogoutBtn');
logoutBtn.addEventListener('click', logout);
function setSession(authResult) {
// Set the time that the access token will expire at
var expiresAt = JSON.stringify(
authResult.expiresIn * 1000 + new Date().getTime()
);
localStorage.setItem('access_token', authResult.accessToken);
localStorage.setItem('id_token', authResult.idToken);
localStorage.setItem('expires_at', expiresAt);
}
function logout() {
// Remove tokens and expiry time from localStorage
localStorage.removeItem('access_token');
localStorage.removeItem('id_token');
localStorage.removeItem('expires_at');
webAuth.logout({
returnTo: 'http://staging.myproject.com/prototype/home.html',
client_id: AUTH0_CLIENT_ID
});
displayButtons();
}
function displayButtons() {
if (isAuthenticated()) {
getProfile();
} else {
//You are not logged in
webAuth.authorize();
}
}
handleAuthentication();
});
We have also tried using: https://YOUR_AUTH0_DOMAIN/v2/logout?returnTo=http%3A%2F%2Fwww.example.com
However, every time the user logs out and it hits the login page, the user is automatically logged back in.
Any help/guidance is greatly appreciated. Thank you,
After a lot of tests I am actually able to answer my own question LOL
Problem was that the logout (session cookie delete) in combination with the re-login happened too fast. Putting a delay on calling webAuth.authorize() showed that the user is successfully logged out.
You certainly don't want to put a delay on this function. In my case I am now forwarding to a "Logged out" page that also offers the option to log back in.
Related
I'm using AWS Cognito and aws-amplify to manage user authentication. When I load up my app, I call Auth.currentSession() which seems to always return the user I was logged in as if I do not explicitly log out by calling Auth.signOut().
I'm fine with this should the user choose a "keep user logged in", but if they don't, how would I go about making sure the user gets logged out once they leave the app?
I tried adding an event listener in my login() method but that didn't work i.e. the user was still logged in when I returned to the app:
.
.
.
if (!keepSignedIn) {
window.addEventListener('unload', function(event) {
Auth.signOut();
});
}
I'm pretty sure the logout() method creates a promise - it operates asynchronously. So the page is probably being destroyed before the promise's logout code is executed.
You can confirm this by executing console.log(Auth.signOut());. If it's a promise it'll log Promise { <pending> }
There's no way to halt unloading of the page, as that would be bad if we could.
What you need is a synchronous signout function. Fortunately, you can just clear the browser local storage, which is a synchronous operation. (Local storage is where Amplify stores the auth tokens.)
if (!keepSignedIn) {
window.addEventListener('unload', function(event) {
localStorage.clear();
});
}
Depending on your situation you may need to instead find and remove individual local storage items, instead of clearing them all.
You can clear Amplify cache before Auth.signOut()
import AmplifyCache from '#aws-amplify/cache';
AmplifyCache.clear();
We have React Native app that uses Cognito for authentication. We would like to prevent the same user ID from logging in simultaneously from multiple devices.
We were hopefully that we could use a Cognito pre-authentication trigger for this. Unfortunately it seems that we can't just call globalSignOut for the user since that wouldn't invalidate tokens that have already been issued and are currently active (see https://github.com/amazon-archives/amazon-cognito-identity-js/issues/21#issuecomment-331472144).
The other idea was to reject the login if the user is logged in elsewhere. But we can't see a reliable way to tell whether the user is already logged in. We can see if there are valid tokens issued for that user but not if they are currently associated with an active session.
We also thought of maintaining our own DB of active sessions but there is no sign-out trigger so we wouldn't know when to remove a session from the DB.
You can use a token authentication system,
Issue a brand new token for each login, and check for available tokens.
if any token is available for the user that means He/She is logged in some other device, for this case you can prompt user that You are logged in other device.. are you sure you want to log out from that device ? and after clicking yes, you can clear all tokens for that user. And issue a brand new token.
AUTO LOGOUT : this token should be passed all over the back-end i.e. in headers of each and every API call token should be there... and should be checked before doing anything in back-end. if token is not available then throw 401. In your app if any API throws 401 then it means user is UNAUTHORIZED and should be logged out.
or
your app should be listening to one socket that responds to log out when it receives a message of same. so whenever your user logs in, a logout message will be passed across sockets and appropriate device with some token id or unique id will get that message and will log out a particular user from all other devices.
or
have a notification receiver which will be used to log out whenever necessary same as socket.
Reading the link you provided the API token / session system seems being faulty by design since long time already.
So without an own token-system inside cognito you won't have reliable results probably, at least in the current state of the system (as the repository is archived it won't be developed further by the owner).
What I propose is an own field in the database-table for users where each login is honored with an own token. A second own field in the same table with a timestamp, where the last access is saved.
If last access is older than a predefined time of 30, 60 or 120 minutes any user gets logged out.
If the last access is younger than the time-limit then the login-mask has to provide a random access token which is compared with that in the database:
- if the access-token in the database is too old for an active session, or just no access-token is stored, then access can be granted which means login is successful.
- the comparison of the current time with the time-stamp saved in the database is for cases where users never have been logged out by purpose but just by being disconnected or passive. I think this case will happen regularly, so it's no exception.
- logging out by click on a button should destroy the access-token in the database, so that the user can immediately login from any device, even from another one then before.
- if there exists a valid access-token in the database then no new access will be granted and the user should get shown a message that he has to sign out first at another login.
- The access-token could be stored together with a third own field for the session-id to make it more reliable and safe. On logout that session-token-field can be cleared too. The session-token can be copied from the global session if required to be saved in the user-record.
- Any checks are only done on login, tokens never have to be included on every page.
- On active logout the token(s) have to be destroyed to allow a direct login again, else the users had to wait till the max. age of the time-limit is reached to login again - at least on another device then before.
As the login itself is currently done independent from the check that has to be implemented, it would be possible to leave the new access-token completely away but use only the session-id as that differs on any device and browser. But perhaps there exists a situation where one of session-id and access-token can change but the other one not - I don't think so but perhaps I missed something in my considerations.
If you provide the access-token on every page like proposed by #Jadeep Galani or in a cookie - beside the corresponding check - you also can offer a button to sign out from all devices. This would enable the users to change login any time even without logging out at the last used device. Without access-token on every page or in a cookie this general logout-function solution is not possible as else access is only checked on login but not on all pages.
A general question is if it's still worth it to rely on the buggy cognito for login or just replace it completely by an own solution. You even could implement the desired authentication in your site in form of a wrapper-class and the concrete login-system could be replaced without changing that implementation.
You can use the UUID of the device to identify whether it is the same user. Add a UUID to each request header to record it in the DB, and then you can do what you want.
Recently I am experiencing this problem.
When I click to register with facebook and I am logged in as a user, I can see my information correctly. But staying on the same page, if I log out from facebook in some other tab and click Register with facebook on my own site, I see this person profile picture. The url of this image is:
http://graph.facebook.com/undefined/picture?type=large
I am accessing graph API using APP
Kindly advise me the solution to the problem
Accessing a users data requires an access token, with out this token your call is getting undefined returned as a user, and with out the access token appended to the picture url it returns emphamous Unknown User.
refer to: http://developers.facebook.com/docs/facebook-login/access-tokens/
for requesting access tokens, and usage.
Example Only: https://graph.facebook.com/ShawnsSpace/picture?type=large&return_ssl_resources=1&access_token=users_access_token
My script cannot access FB script without Access token
FB.login(function(response)
{
//If the user is succesfully authenticated, we execute some code to handle the freshly
//logged in user, if not, we do nothing
if (response.authResponse)
{
FB.api('/me', function(response) {}
}
{scope:'email,user_events,friends_photos,user_about_me,user_birthday,user_hometown,user_location,user_location,user_relationships'}); });//fbclick
So, I think access token condition is already satisfied.
I am working with facebook graph api rsvp_event. I am using javascript SDK. Everything works great when the user is logged in. But when the user is not logged in, it gives an error.
I need information about who is attending a public event. I now understand that I would need an access token to retrieve this information. So, my question is how do I get the access token if no user is logged in? Is it impossible or is there a workaround? Could it be done server side using app_id and client_secret?
I am developing a ColdFusion page, but I can use PHP if needed. I have support for both.
I have heard the term *offline_access_permission*. They have removed this feature. Could it be done when it was still available?
EDIT:
Could this be achieved by test user? Say, on server side I login via test user, get the event information (Just a "get" request to read who is attending an event) and then log off. On the client side I do the rest ( user login, rsvp to an event).
I don't know much about "test user" or its purpose. Can anyone confirm whether this can be achieved or not?
Thanks in advance.
Are you sure you actually need the user's access token? According to documentation here you may need:
- a generic access_token for public events (those whose privacy is set to OPEN)
- a user access_token for a user who can see the event for non-public events
- an app access_token (for non-public events, must be the app that created the event)
- a page access_token (for non-public events, must be the page that created the event)
You can get info on how to get those tokens here https://developers.facebook.com/docs/concepts/login/access-tokens-and-types/
A good idea could be to store the attending users (in the DB) when you have access to the event - when some user is logged in.
UPDATE for getting the data from FileContent.
I don't know what API response exactly you are referring to, but from my experience they are returning data:
- serialized using JSON - you need to use DeserializeJSON(), for example like this:
local.returnStruct = DeserializeJSON( local.requestResult.FileContent );
or
local.returnStruct = DeserializeJSON( local.requestResult.FileContent.toString() );
send as something similar to URI. I'm using a function to get that data:
function getStructFromQueryString( queryString ) {
var ret = StructNew();
var i = 0;
var key = '';
for(i=1; i LTE ListLen(arguments.queryString,'&'); i++) {
key = ListGetAt(arguments.queryString, i, '&');
ret[ListFirst(key,'=')] = URLDecode(ListLast(key,"="));
}
return ret;
}
Basically what you want is a refresh token that can get access tokens when the user is offline, unfortunately facebook does not provide them anymore as far as i know.
To learn more about oauth2 pleas play around with https://developers.google.com/oauthplayground/ its a very nice tool to understand the oauth2 process.
I'm having trouble with cookies on my site's registration form.
When a user creates an account, PHP sets one cookie with their user id, and one cookie with a hash containing their user agent and a few other things. Both of these cookies are set to expire in an hour.
This is the code that sets the cookie after creating your account
$registerHash = hash( "sha512", $_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_HOST'] . $_SERVER['DOCUMENT_ROOT'] );
setcookie("register_user_id", $newUserID, time() + 7200, "/");
setcookie("register_hash", $registerHash, time() + 7200, "/");
The next page is a confirmation page which sends an email and then optionally lets the user go on to fill out more account information. If the user goes on to fill out more, it uses the cookie to know what account to save it to. It works correctly in Firefox and IE, but in Chrome the cookie is forgotten as soon as you go to the next page. The cookie simply doesn't exist.
You can see the problem here:
http://crewinyourcode.com/register/paid/
If you use Chrome, you will get a registration timeout error as soon as you try to advance past the confirmation page. However on Firefox it works fine.
It turns out this actually was a problem of the files being in different directories, despite my cookie being set for "/", and it was forgetting across multiple. I solved it by moving all the files into the same place.