When tenant has only one third party auth provider set to use and local login is not in use user is forwarded to thrid party login page automatically as you know. If that user click logout, user is redirected to logged-out page in our application after user is logged out. In that page I added button which user can click and return to application. What if user wants to change Tenant to other. Like our user suppport. They use impersonator so they can go any tenant. Now if they go to any tenant which have local login disabled and azure login is used for example they cannot change tenant anymore in login page because auth server is remembering tenant and redirecting to microsoft login page before user can change tenant.
In local environment with ng serve both applications are in same domain, localhost. In that scenario it was enough to clear __tenant cookie from cookie. But now it is not working in our Azure environemnt where application is in application-test.ab.app and auth server is auth.application-test.ab.app. When I'm in application I see this cookie.
Currently I am trying this to forget tenant when user is logging out:
cookieService.delete('__tenant', '/');
sessionStateService.setTenant(undefined);
I use ngx-cookie-service to delete cookie. I also tried to set tenant to undefined.
I know that I cannot delete cookie from another domain. So do you have any solution to forget selected tenant. I only need to do this for tenants which are not using local login.
5 Answer(s)
-
0
Hi, first of all, thanks for the detailed explanation.
I know that I cannot delete cookie from another domain. So do you have any solution to forget selected tenant. I only need to do this for tenants which are not using local login.
You're correct: cross-domain cookies cannot be deleted by client-side code running on a different domain. Since the
__tenantcookie is set on auth.application-test.ab.app, deleting it from application-test.ab.app has no effect.For the solution, these are what came to my mind:
To fully clear the tenant cookie, you can redirect the user to the auth-server logout endpoint. After logout, redirect them to the login page and they can select a tenant again, or login as a host user (if they can).
If the first option is not applicable to you, then you may customize your auth-server's login logic to check if the
__tenantcookie is present and then implement a tenant selection page?
The first approach is definitely, easier than the second one, if it's applicable for you, I suggest to go with the first option.
Regards.
-
0
Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
-
0
Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
Yes, you're right. In option 1, you should redirect the user to the auth server's
/Account/Logoutendpoint with a returnUrl parameter that points back to your app.This ensures the logout happens on the correct domain where the
__tenantcookie is set, and then brings the user back to your application.The return URL (https://application-test.ab.app/logged-out in this case) must be registered in the PostLogoutRedirectUris column of your OpenIddictApplications table — otherwise, the redirect won’t be accepted.
-
0
The return URL (https://application-test.ab.app/logged-out in this case) must be registered in the PostLogoutRedirectUris column of your OpenIddictApplications table — otherwise, the redirect won’t be accepted.
Here in your example url is to application url. Did you ment auth-server url? And is correct url in auth server Account/logout? Or do you ment that I first redirect with postlogouturl and I also add some other returnurl that after user is directed to Account/Logout user is redirected also to logged-out url in my application? I'm little bit confused how this should be configured. And what makes auth server to forget __tenant.
My logout button is using import { AuthService } from '@abp/ng.core'; authService.logout().subscribe();
-
0
Here in your example url is to application url. Did you ment auth-server URL? And is correct url in auth server Account/logout?
Actually, I just tried to indicate that if you have a post-logout URL, then it should be registered to the related table. But, you can forget the related sentence, which causes confusion.
And what makes auth server to forget __tenant.
I'm not an angular developer but your app's logout, using
authService.logout(), should redirect the user to your auth server's logout endpoint. When they completely log out, then the__tenantcookie should be deleted. So, you can pass to the logout page a returnUrl to your login page, and then they can see your login page, and either select a tenant or directly login as a host user.
