Javascript Question posted in
A very good W3school tutorial can be found here.

Javascript – Azure App Services built in auth programatic log out

I am working on an azure app services application using built in auth. I am trying to implement an auto logout due to inactivity feature, so when the user steps away from their browser the app should log out.

Following the documentation of how to sign out of a session I would expect when I redirect to /.auth/logout it should

  • Clears authentication cookies from the current session.
  • Deletes the current user’s tokens from the token store.
  • For Microsoft Entra and Google, performs a server-side sign-out on the identity provider.

… however, instead of doing the above, the user is presented with an account chooser screen to ask which account to sign out of. The problem is that there is no user there to make the choice, so the browser hangs on that screen, and when visiting the application the user is still authenticated.

Does anyone know how to programatically log out of azure app services apps without requiring user interaction?

Tags:

2

Answers


  1. 0

    1. Introduction

    Your browser triggers requests to your server. Your task is to replicate those requests programmatically.

    2. The plan

    You are at whatever page and you intend to run a JS code when either the browser or the tab loses focus. You can use window.onblur for that purpose.

    3. Research

    Do an actual logout as a user with Dev Tools being open and monitor all requests, save the curl of each one. Notice that some requests may reuse some responses of previous requests.

    For each such request, determine:

    • whether it’s necessary for the logout (for example you don’t want to send requests to CSS files)
    • what parameters/headers of the request vary (session ID, user agent, whatever) and particularly what variable values depend on responses from the earlier requests
    • what headers are to be sent

    4. Implementation

    Implement a sequence of these requests and adjust them until they work. Carefully monitor what the responses are. Try doing it in curl and during your tests inspire from a living browser session.

    5. Integrating it into your project

    Now that you have a sequence of curl requests that take some parameters and via the sequential sending of the requests you are able to log out, you might be able to send these requests via Javascript if you stumble into no browser limitations. In such a case, you will just need to implement some Javascript functions and trigger the sequence at window.onblur.

    However, if there are limitations in the browser and you cannot solve it, then implement a middleware to which you pass the initial variable values and which starts the sequence of requests and trigger this from your Javascript code by requesting to your middleware.

    Login or Signup to reply.
  2. 0

    To make sure user is logged out, you should force clear the auth cookies.

    E.g.

    // your api endpoint to log out

res.clearCookie('AppServiceAuthSession'); // Example cookie
res.redirect('/.auth/logout?post_logout_redirect_uri=/logged-out');
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search