[api] remove /logout route (do not implement front channel logout)
#3759
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
freemvmt
changed the title
/logout route (do not implement front channel logout)/logout route (do not implement front channel logout)
|
Removed vultr server and associated DNS entries |
DafyddLlyr
requested changes
Oct 4, 2024
There was a problem hiding this comment.
Thanks for this, as well as the clear and comprehensive update in the PR description.
One small change required - we also need to update api.planx.uk/modules/auth/docs.yaml to remove the /logout route - this is currently not dynamically generated by Express and is a bit of a painful manual step. This generates our Swagger API docs hosted here -
freemvmt
force-pushed
the
api-microsoft-frontend-logout
branch
2 times, most recently
from
b89676e to
9d2bb7d
Compare
@DafyddLlyr nice catch, have done! I took the opportunity to document the new |
freemvmt
force-pushed
the
api-microsoft-frontend-logout
branch
from
9d2bb7d to
cb8339b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to this Trello ticket and follows on from #3453.
After some investigation, I came to the conclusion that implementing front channel logout does not make sense in our context.
Before I realised that, and while trying to figure out how best to implement it, I realised that the API's
/logoutroute is never hit, so serves no purpose. Therefore I have removed it in this PR.Some context
As per the Open ID Connect spec, a front channel logout is intended to log a user out of any server on which they are authenticated by a provider (e.g. Microsoft), when they log out of said provider centrally (or via another service).
For example, if I log out of my Microsoft account on Microsoft.com, I'd expect to be simultaneously logged out of PlanX, assuming I'd logged in via Microsoft SSO.
However, a PlanX user being 'logged in' is currently achieved by the presence of a
jwtcookie stored on the browser, and does not relate to any session or state stored on the API server or in the database (this client-side session data is cleared when the user clicksLogout- see here).Therefore, there is no server to communicate a logout instruction to. The JWT on the user's browser cannot be revoked from without, will expire in due course (??), and cannot be renewed without signing in again.
I think this is a reasonable situation. If we wanted Microsoft to be able to log a user out, we'd have to keep session server-side, which would be a significant change.
Further resources