Logout seems to not invalidate session in Azure Static Web Apps - logout

I created a static Web site using Azure Static Web Apps (under the Free plan for now -- not sure if that's relevant to the issue at hand.) I can access the Web site through an ***.azurestaticapps.net URL.
I then tried to test Azure Active Directory authentication per Microsoft's instruction from this page:
https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization
My problem is that logging out does not seems to work as I would expect on a normal Web site. I could log out, but when I tried to login again (hoping to use a different Azure AD account,) the Microsoft login screen flashes by and I got logged right back in with the user that I just logged out from. Switching to a different tab doesn't help.
Steps to repro:
Navigate to /.auth/login/aad and login using a Microsoft Account. Say NO to 'Stay signed in?' prompt.
Navigate to /.auth/me to see the basic information on the logged in account to prove that I'm in the logged in state.
Navigate to /.auth/logout to logout. Immediately, navigate to /.auth/me again to confirm that my static Web App regards me as 'logged out.' I'd see this:
{"clientPrincipal": null}
Navigate to /.auth/login/aad again. Microsoft login page flashes by, and I am logged right back in with the previously logged out user.
Things that sort of worked
Any of the two actions below alone seems to make the browser forget my logged-in state:
Close the whole browser and relaunch it. I'd get asked to pick the previous user (and then enter the password) or choose a new user. This sort of works but reminds me of some Web sites 15-20 years ago that said 'For security reasons, please don't forget to close your entire browser after logging out from this one tab.'
Open a new tab in the same browser, and navigate to hotmail.com. That tab will enjoy my logged-in state from the Static Web Apps tab. I'd see my mails right away. Then I log out from the hotmail.com tab, switch back to ***.azurestaticapps.net tab and see that I am still logged into my Static Web App. Good! Then if I log out from my Static Web App and try to log back in, it has forgotten my logged-in state this time. In other words, logging out from the hotmail.com tab is somehow more powerful.
I also tested /.auth/login/google too and the same problem arises! So the issue seems to be on the Azure Static Web Apps side, not how idPs handle their logout process.
Am I missing anything obvious?

Related

Keycloak and SSO with SAML and Safari

we are using keycloak 3.4.2 to try to integrate SSO behavior (via SAML). I configured two clients in the same realm; if user logins to clientA and he opens a new tab in the same browser and logins to clientB he is successfully automatically logged in.
But we are trying to integrate the following behavior:
- from ipad user opens safari and goes to site A
- he logins to site A successfully
- from site A he clicks an "universal link" to open an app previously installed which is simply a webview to site B.
Current result is the user lands in the login page of the app.
Expected result is the user gets automatically logged in.
We are using iOS 11 for frontend. Both site A and site B have a backend side written in Java6.
Our idea was to reuse all cookies from site A to app with webview of site B by using an iOS widget "SFAuthenticationSession"; but once logged in the only cookie available is JSESSIONID which is not enough I think.
In my tests when I am using only a browser with different tabs, for each different tab I have a different JSESSIONID so I expect to have a different JSESSIONID when I am landing to site B.
Our approach has been taken from current source code:
https://github.com/dvdhpkns/SFAuthenticationSession-example
So what can we do to accomplish our task ?
What are we missing ? Do we need any other tokens/cookie ? How to retrieve them ? And when ?
I hope I clearly explained issue, sorry but authentication issues are not my strong point.

Google Actions Account Linking Flow

I've written an authorization flow for my action, to do account linking with the "Implicit flow". I have been testing it using the web simulator. When I try to run the action in the web simulator it tells me to link my account, and provides a URL:
"https://assistant.google.com/services/auth/handoffs/auth/start?provider=hello_dev&return_url=https://www.google.com/"
I run that URL and this is what happens:
My Java servlet receives the auth request from google. It contains what is documented, a GOOGLE_CLIENT_ID, a REDIRECT_URI, a STATE and "response_type=token"
I create an access-token from the Google ID that is logged in by using UserServiceFactory.getUserService().getCurrentUser().getUserId()
I craft a URL to the redirect-uri that contains my ACCESS_TOKEN, token_type=bearer, and state= the state string I originally received
I create a web page for the user that contains that link so they can click it and it executes the link and my account is linked.
That works great and the response is a blank page with a URL that says: "https://www.google.com/?result_code=SUCCESS&result_message=Accounts+now+linked."
However, I wanted a flow that allowed the user to ensure they are logged in, and logged into the Google Account they wanted to link
So, I also present a link that logs them out if they'd like. The link is created by using userService.createLogoutURL(thisUrl)
If they do that, I then present them a link to log in, created using userService.createLoginURL(thisUrl)
Once they have logged in, with a different Google ID, they are back on the original page which allows them to log out again or click the "link account" link.
The situation is, that if they click the "link account" link now, the EXACT same link that would have worked successfully before they logged out (except a different ACCESS_TOKEN value) and logged back in with a different account, the response is a blank page with a URL that says: "https://www.google.com/?result_code=FAILURE&result_message=Account+linking+failed"
Two things of note:
If they log out and log back in with the same account, then the "link account" URL works fine
If they are not logged in at all when beginning the process, and then log in and then use the "link account" link it works fine
So, the only time it fails is when they are logged in, log out, log in with a different account, and click to link accounts. That's when it fails.
The account doesn't matter, multiple different accounts work, as long as the browser is logged into the first account and doesn't change during the flow.
I honestly cannot imagine how this is happening.
This gets even worse if I do it in the Google Home app, as it then returns some "malformed request error" page and basically stops working, PERMANENTLY. Stopping/Starting the action didn't help. Stopping/Starting the Web service didn't help. Rebooting the Android device didn't help. Link Account from the Google Home app was permanently broken. The only way I was able to get it working again was to use the Account Link URL (gotten from the web simulator) in the Chrome Browser on my Android device, which seemed to "reset" everything.
At this time, we require that the Google user who initiates the account linking process, both via the simulator and Google Home application, be the same Google user that logs in via a Google Sign-in option, if it is offered as part of your auth flow. This is a hard requirement.
For this reason, we'd suggest not offering a Google logout option as part of your account linking process.

Facebook page tab prompting for login, but it shouldn't

When a user is not logged in and they navigate to a page tab made with our app, they get an obtrusive dialog asking them to log in:
This has nothing to do with http vs https, the app is not in sandbox mode, there is nothing in the tab asking for a login or user information, etc. I've gone through the app settings at least a half dozen times now, and nothing is wrong there. Aside of urls, the settings are identical to another app I have that does not suffer from this problem. I'm stumped!
Edit: here is an affected tab: https://www.facebook.com/StaticHtmlThunderpenny/app_203351739677351
This message is not about login to your app, but Facebook in general.
So my guess would be that the page your app is installed as page tab app on is restricted in some way – by age, location, or for having alcohol-related content. And then of course Facebook asks for login, because otherwise they can not determine whether or not the (as of now still “anonymous”) user qualifies to see the page.
So go check the page settings.
This is actually not app related question.
This is thumb rule!! To access any app on Facebook, you need to log in to Facebook. You can see Facebook page without log in. But for facebook apps, you should be authentic user.
with this issue in my own experience that I came across some years back with a facebook app that I was running, if this doesn't relate to any of your other social networking apps then am aligning two set of possibilities and solution.
The user might have not properly logged out as "written" in the app for the users logout stage.
Solution would be that the user logout as expected before closing the app.
The user might have set up an automatic login prompt which was removed by the app when it was been updated automatically. (If you do get me???)
Solution would be to monitise your app on updates and login informations or better still just login and logout ask intended by the app and for security reasons.
Lastly I would say that automatic bookmark database should be added to the server part so current pages as the user uses the app would be saved after logout or login stage. Thank you, hope this helps and if not let me know what am missing.

IWebBrowser2 facebook login

I'm working on a windows based application in C++ that requires facebook login. I'm using using Ole Embedding/ActiveX control with the CLSID_WebBrowser component (IWebBrowser2) to do the authentication.
This works pretty well in so far as I create a window, embed the activeX web browser control, and then I direct it to the facebook login with an 'authorization url', such as...
https://graph.facebook.com/oauth/authorize?client_id=xxxx&redirect_uri=https://www.facebook.com/connect/login_success.html&scope=basic_info
xxx is set to our app id.
This works, and you can login. The problem is if I quit and restart the app, even if I've selected 'keep me logged in' in the web page, I will generally have to retype in my password.
I say generally, because if I don't use the facebook auth url above, and say go to www.facebook.com, within my active x control and log in - it will remember that I'm logged in, and I don't have to type in password if I shutdown and restart the app.
As another side detail all of this is separate from the behavior of just running IE. If I run IE and login - it has no effect on the login inside of the app. And it's not something that is unique to my implementation of ActiveX control embedding. If I run the JUCE library demo - which has a web browser active X component, it has the same behavior as with mine. That is...
1) I can login via https://graph.facebook.com/oauth/authorize - but if I restart the demo, it won't remember my previous login
2) If I login via www.facebook.com then it does remember I've logged in
+ Actually a login like this in JUCE will allow me to login without a password from my app
3) Login from IE has no effect
It's tedious to have to login every time, and seems like incorrect behavior to have to do it if you select 'remain logged in'. It does not appear that it's a problem with the ActiveX control saving session state - as session state is maintained when I use the www.facebook.com login. It may be worth saying - I can't use www.facebook.com login, because it doesn't return the information that the app requires to work, that's what the authorize style url is all about.
The implication seems to be that facebook is doing something different in these scenarios - it's not storing the login information if you use the authorization url.
So my question is how to fix the problem - such that 'remain logged in' will remain logged for an application authentication through the authorization url?
I guess as a work around, you could store the authorization token in the app, and try and see it that token is valid at startup perhaps. I'm not sure that's the 'right' way to do it.
Also note - my original implementation used Ole Automation (effectively my app controlled a separate IE process), and it had none of these problems. BUT unfortunately with IE 11, Ole Automation seems to have been broken.
Thank you for your time and wisdom.
I didn't find away to honor 'keep me logged in' within facebook. Instead, if a user logs in I store the authorization token encrypted in a file. If they restart the application, it will attempt to login using the stored auth token. If it fails, a standard login sequence is pursed. This is equivalent to acting as if 'keep me logged in' is always set, which isn't right, but is better from a usability point of view than the opposite.
It may potentially be possible to lookup the 'keep me logged in' element from the DOM of the webpage, and see what it is set to. This seems kinda fragile.
I remain open to suggestions on, how to 'do this properly'.

Facebook logout when not authorized

I'm building a public installation using an iPad, built as an iOS web app (using the "Add to Home Screen" functionality) which is going to allow users to share content on Facebook.
I'm currently logging the user in to Facebook and getting them to authorize my Facebook app when they click my custom share button. On a successful login, I open Facebook's Feed dialog and allow them to share. Once they have shared (or clicked cancel) I automatically log them out, making sure that the next user that uses the public installation won't be able to share to the previous user's Facebook account.
This all works well, but things get tricky if someone was to hit my custom share button, log in to Facebook and then not allow my app. This would mean that they have logged in, but as they haven't authorized the app, I don't have an access token, and so can't log them out (FB.logout() requires an access token).
Is there a way around this?
Or is there another way that I can log a user out?
Or is there a safe way to allow a user of a public installation (built in HTML) to share on Facebook and be automatically logged out afterwards? Would building a native obj-c app, and using Facebook's iOS SDK help?
The best I can think of is that if the user logs in but doesn't allow the application, they are told that they need to log out, and redirected to Facebook to be able to do this. However this offers them the chance to browse Facebook and (through shared links in their feed) the whole Internet - this isn't acceptable for our installation.
I solved this problem by creating a native iOS app, where the Facebook share link opened in it's own UIWebView. And once the sharing was complete, I deleted all session & cookie information, effectively logging the user out.