Logout from MicrosoftGraphAuthProvider not working

maggarwal · May 17, 2024, 6:36am

Hello, We have couple of web applications all using Servicestack as backend. We are in the process of implementing SSO and have created a separate service to handle the authentication process. The service supports application users, network domain users and Microsoft login as well. To support Microsoft login, we are using MicrosoftGraphAuthProvider and for domain and application users we use a custom auth provider. The authentication goes through successfully for both the Auth Providers. When we try to logout, it works fine for the Custom Auth Provider, but with MicrosoftGraphAuthProvider the session is still active even after logging out. As part of logout process, we

call the logout provider
clear the token cookies and also explicitly remove the session.
logout from Microsoft
Can you please let me know why I’m still able to access the authorized page even after logging out? Is there anything additional that needs to be done? Is there a sample logout implementation as part of SSO with MicrosoftGraphAuthProvider?

mythz · May 17, 2024, 6:46am

Which Authorized pages? What authentication are these pages protected by? Are the cookies you’ve cleared out not sent when accessing the Authorization page? Do they also still have access to ServiceStack APIs?

maggarwal · May 20, 2024, 10:41pm

The authentication is handled by a separate authentication service that uses MicrosoftGraphAuthProvider. One of the client which is a Web application has pages that are accessible only for authenticated users and uses cookie and OpenIDConnect authentication scheme. Below is my request flow -

For the initial request from the client, the login screen is returned by the authentication service and the user gets authenticated successfully through Microsoft login.
When I initiate logout from the client, the logout calls goes fine / no error shown.
After logout is complete, when I try to access a page for authenticated users on the client side, I see the Jwt access token created on step 1 is being used and the Authentication service verifies the token and returns it as “valid”.
Is there anything I need to do explicitly at the client side to ensure the Jwt access token is removed? Right now, I issue the logout call to the authentication service.

Note - I’m new to this and still trying to learn how things work.

mythz · May 21, 2024, 1:15am

What’s the name of the Cookie?

maggarwal · May 21, 2024, 1:39am

I have kept it as “PrismCookie” at the client configuration.

mythz · May 21, 2024, 2:06am

Then that’s a custom cookie you would need to delete. You should be able to delete custom cookies from the OnLogout Session or Auth Event, e.g:

public class CustomUserSession : AuthUserSession 
{
    //...
    public override void OnLogout(IServiceBase authService)
    {
        authService.Request.Response.DeleteCookie("PrismCookie");
    }
}

maggarwal · May 28, 2024, 9:04pm

Hi,
The behavior is same even after adding the above code.

mythz · May 29, 2024, 2:16am

Is that code getting executed? What’s the HTTP Response after running that code? Is the PrismCookie still sent?

maggarwal · June 11, 2024, 2:44pm

Yes, the code is getting executed and the response status is ‘OK’. The cookies are empty, but the Header seem to have the Bearer token set even after the logout call.
Is there a way to override the CreateJwtBearerToken method to have our own implementation?

mythz · June 11, 2024, 5:09pm

Which HTTP header? if the HTTP Header has the JWT in the Authorization Bearer Header than it’s up to the client to stop sending it. Only cookies can be controlled and deleted by the server.