When tenant has only one third party auth provider set to use and local login is not in use user is forwarded to thrid party login page automatically as you know. If that user click logout, user is redirected to logged-out page in our application after user is logged out. In that page I added button which user can click and return to application. What if user wants to change Tenant to other. Like our user suppport. They use impersonator so they can go any tenant. Now if they go to any tenant which have local login disabled and azure login is used for example they cannot change tenant anymore in login page because auth server is remembering tenant and redirecting to microsoft login page before user can change tenant.
In local environment with ng serve both applications are in same domain, localhost. In that scenario it was enough to clear __tenant cookie from cookie. But now it is not working in our Azure environemnt where application is in application-test.ab.app and auth server is auth.application-test.ab.app. When I'm in application I see this cookie.
Currently I am trying this to forget tenant when user is logging out:
cookieService.delete('__tenant', '/');
sessionStateService.setTenant(undefined);
I use ngx-cookie-service to delete cookie. I also tried to set tenant to undefined.
I know that I cannot delete cookie from another domain. So do you have any solution to forget selected tenant. I only need to do this for tenants which are not using local login.
13 Answer(s)
-
0
Hi, first of all, thanks for the detailed explanation.
I know that I cannot delete cookie from another domain. So do you have any solution to forget selected tenant. I only need to do this for tenants which are not using local login.
You're correct: cross-domain cookies cannot be deleted by client-side code running on a different domain. Since the
__tenantcookie is set on auth.application-test.ab.app, deleting it from application-test.ab.app has no effect.For the solution, these are what came to my mind:
To fully clear the tenant cookie, you can redirect the user to the auth-server logout endpoint. After logout, redirect them to the login page and they can select a tenant again, or login as a host user (if they can).
If the first option is not applicable to you, then you may customize your auth-server's login logic to check if the
__tenantcookie is present and then implement a tenant selection page?
The first approach is definitely, easier than the second one, if it's applicable for you, I suggest to go with the first option.
Regards.
-
0
Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
-
0
Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
Yes, you're right. In option 1, you should redirect the user to the auth server's
/Account/Logoutendpoint with a returnUrl parameter that points back to your app.This ensures the logout happens on the correct domain where the
__tenantcookie is set, and then brings the user back to your application.The return URL (https://application-test.ab.app/logged-out in this case) must be registered in the PostLogoutRedirectUris column of your OpenIddictApplications table — otherwise, the redirect won’t be accepted.
-
0
The return URL (https://application-test.ab.app/logged-out in this case) must be registered in the PostLogoutRedirectUris column of your OpenIddictApplications table — otherwise, the redirect won’t be accepted.
Here in your example url is to application url. Did you ment auth-server url? And is correct url in auth server Account/logout? Or do you ment that I first redirect with postlogouturl and I also add some other returnurl that after user is directed to Account/Logout user is redirected also to logged-out url in my application? I'm little bit confused how this should be configured. And what makes auth server to forget __tenant.
My logout button is using import { AuthService } from '@abp/ng.core'; authService.logout().subscribe();
-
0
Here in your example url is to application url. Did you ment auth-server URL? And is correct url in auth server Account/logout?
Actually, I just tried to indicate that if you have a post-logout URL, then it should be registered to the related table. But, you can forget the related sentence, which causes confusion.
And what makes auth server to forget __tenant.
I'm not an angular developer but your app's logout, using
authService.logout(), should redirect the user to your auth server's logout endpoint. When they completely log out, then the__tenantcookie should be deleted. So, you can pass to the logout page a returnUrl to your login page, and then they can see your login page, and either select a tenant or directly login as a host user. -
0
I'm returning this later
-
0
But problem is that auth server is remembering tenant by that __tenant cookie(I assume). And when I logout auth server login page automatically fill tenant to Selected organization.
Currently I have created logged-out page at my frontend which is not protected by auth guard so it will no trigger authentication process. In that page I have button which redirect user to my application root(/logged-out/ ---> /). So when user clicks that button authentication process starts and user is redirected to auth servers loginpage. When user or apparently page itself(from cookie) select organization which only have one external provider configurated, it redirects user to immediatelly to that providers page and login page is not even shown to user. So how can I clear that auth server won't remember tenant?
Here are those authserver configurations from frontend. What I need to configure and where to achive what you suggest ("pass to the logout page a returnUrl to your login page")?
Here are my current localhost settings.
Do I need to add something when I call that logout function? That logout function can take some queryparameters.
-
0
I tried to set https://localhost:44369/Account/Login to post_logout_redirect_url and result is that login page still remembers tenant and when user is trying to logout user ends up as logged in again but not back to application. User ends to auth server main page as logged in like this.
-
0
hi
Can you all HTTP request during logout from Angular?
Use browser to record the HTTP request and export it as HAR file.
liming.ma@volosoft.com
-
0
I sent har file to mail.
-
0
hi
You can override this controller in AuthServer project to clear the
__tenantcookie.https://github.com/abpframework/abp/blob/rel-8.3/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/LogoutController.cs#L8-L25
-
0
I'm not sure anymore is cookie remove best solution. By disabling automatic third party login user only need to click one more button but when clearing cookie users need always to write their tenant. Is there possibility in that controller to check
IsSelfRegistrationEnabled = await SettingProvider.IsTrueAsync(AccountSettingNames.IsSelfRegistrationEnabled);and this kind of things
public bool IsExternalLoginOnly => EnableLocalLogin == false && ExternalProviders?.Count() == 1;Without these checks I jsut need to remove cookie for every tenant and user and that is bad.
-
0
hi
You can add a query string(
__tenant) to pass the tenant.https://abp.io/support?__tenant=acme
