Hello, We have couple of web applications all using Servicestack as backend. We are in the process of implementing SSO and have created a separate service to handle the authentication process. The service supports application users, network domain users and Microsoft login as well. To support Microsoft login, we are using MicrosoftGraphAuthProvider and for domain and application users we use a custom auth provider. The authentication goes through successfully for both the Auth Providers. When we try to logout, it works fine for the Custom Auth Provider, but with MicrosoftGraphAuthProvider the session is still active even after logging out. As part of logout process, we
call the logout provider
clear the token cookies and also explicitly remove the session.
logout from Microsoft
Can you please let me know why I’m still able to access the authorized page even after logging out? Is there anything additional that needs to be done? Is there a sample logout implementation as part of SSO with MicrosoftGraphAuthProvider?
Which Authorized pages? What authentication are these pages protected by? Are the cookies you’ve cleared out not sent when accessing the Authorization page? Do they also still have access to ServiceStack APIs?
The authentication is handled by a separate authentication service that uses MicrosoftGraphAuthProvider. One of the client which is a Web application has pages that are accessible only for authenticated users and uses cookie and OpenIDConnect authentication scheme. Below is my request flow -
For the initial request from the client, the login screen is returned by the authentication service and the user gets authenticated successfully through Microsoft login.
When I initiate logout from the client, the logout calls goes fine / no error shown.
After logout is complete, when I try to access a page for authenticated users on the client side, I see the Jwt access token created on step 1 is being used and the Authentication service verifies the token and returns it as “valid”.
Is there anything I need to do explicitly at the client side to ensure the Jwt access token is removed? Right now, I issue the logout call to the authentication service.
Note - I’m new to this and still trying to learn how things work.
Yes, the code is getting executed and the response status is ‘OK’. The cookies are empty, but the Header seem to have the Bearer token set even after the logout call.
Is there a way to override the CreateJwtBearerToken method to have our own implementation?
Which HTTP header? if the HTTP Header has the JWT in the Authorization Bearer Header than it’s up to the client to stop sending it. Only cookies can be controlled and deleted by the server.