-
Notifications
You must be signed in to change notification settings - Fork 442
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Difficulties obtaining idToken needef for /logout endpoint #964
Comments
This seems to be config issue for |
@kaobg Does your code differ from our Identity Server 4 example? If so, can you tell me what options you are using or provide a code example? |
@carbonrobot
The 'idToken' parameter is mandatory, however I have no way of obtaining it at login because the authorize response type is set to 'code' only internally in the react-native-app-auth library. I think it should be 'code id_token'. So that leaves me with just using the revoke() method as in the sample you provided |
Keep in mind that if you pass some invalid value for idToken, IdentityServer will display a logout page in the custom tab on which you have to make an extra click to confirm the logout. And it will not follow the PostLogoutRedirectURL in this case. Which is something I would like to avoid obviously. |
@kaobg We don't set the scope internally, you can supply that with your configuration as follows. The scopes determine what the OIDC endpoint will return when you call
Keep in mind that Identity Server ID4 docs: https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html |
@carbonrobot sorry for the very late response. From the spec:
That's exactly the behavior I want to achieve, it's fine that we need to open a browser for the endsession but after the session has been successfully ended I want to make use of the post logout redirect uri (which I can't do without supplying an id_token, hence my original question). |
I had a similar issue using the authorize endpoint. Kept getting "net.openid.appauth.AuthorizationException: Invalid ID Token" error on physical device. I discovered that it was related to the device not having the correct date/time setting so the id token was seen as invalid. This had nothing to do with a bug / issue with the react-native-app-auth library!! |
Issue
Not sure if this is classified as a bug or I'm missing something, but in the documentation it is stated that we can only use the autorization code flow, which is fine.
But then for /logout endpoint it is stated that:
It requires an idToken, obtained after successfully authenticating with OpenID Connect, and a URL to redirect back after the logout has been performed.
However, I can't find any way that I can set the response_type to include the 'code id_token' for the /authorize endpoint. The default response_type gets set to 'code' and the server does not return the idToken, which I can then later use for the logout. Because of this I end up sending some invalid string for the idToken param in /logout, which creates problem for the post logout redirect and as a result I end up having to close the custom tab manually after the log out has been completed.
Please let me know if I'm missing anything with the supported logout flow.
Environment
IdentityServer 4
Android
react-native
Version:0.73.0
react-native-app-auth
Version:7.1.3
No
The text was updated successfully, but these errors were encountered: