Delete Github OAuth access token when user logged out of GitHub - github

I'm building a website which uses GitHub OAuth to authorise users. I'm successfully authorising users and able to get access_token from GitHub to talk to their API. When user logs out of my app I invalidate the session and delete the authorisation, but when user stays active in my app and logs out of GitHub, the access_token is still active article.
I'm looking for a way to logout / re-authorise users when they have logged out of GitHub.

Related

Revoke GitHub OAuth token

I made user authorizztion via GitHub OAuth. So now I'm trying to make a log out func. According to GitHub I can do it via revoking access token (https://docs.github.com/en/rest/reference/apps#delete-an-app-authorization). But this endpoint throws 404 all the time and according to the API main page (https://api.github.com/) there is no such endpoint at all. Found similar questions but without solutions.
Remove/revoke GitHub OAuth 'access_token'
GitHub OAuth logout or revoke of token

Logout from Keycloak does not logout Active Directory User

We have integrated KeyCloak server with Azure Active Directory as Identity Provider for SSO Login.
Log-in is working fine. However we facing problem with log-out, When user logs-out from web application, from our backend server side code we are making REST call to Keycloak server for below API.
https://keycloaktest:8443/auth/realms/<realmName>/protocol/openid-connect/logout
for this REST call we are getting 204 status code as response.
However when User tries to log-in in application again from browser it does not ask to enter credentials (active directory credentials).
In order to log-out User. We have access below URL
https://portal.azure.us/#home
and click log-out there.
https://portal.azure.us/Account/SignOut
Is there anyway to achieve this in backend i.e. when User clicks logout from browser
Just ran across this myself. The answer provided here: Logout user via Keycloak REST API doesn't work worked for me. Try adding client_id and refresh_token to your /logout request.

Github Apps: Authorize & Request on applications doesn't return code parameter

I've created a Github app with the option "Request user authorization (OAuth) during installation".
When a user requests his admin to install the app, the admin accepts and gets back to the app. I then get a url like:
http://localhost:3000/auth/github/callback?code=a22757013d09ccc5f6ed&installation_id=18334019&setup_action=install&state=MYAPPSTATE
BUT when the user Authorize & Request and he gets back to the app I only get a url like so:
http://localhost:3000/auth/github/callback?setup_action=request&state=MYAPPSTATE
My question is, how to get Github to give me the code parameter so I can know which user has requested to install the github app ?
Thank you 🙏
Apparently this has been fixed now https://github.com/pre-commit-ci/issues/issues/70#issuecomment-899129055
Here is the response I got from GitHub support:
The code parameter is only returned for authorization during installation. There isn't a way to generate one for the user who has requested an admin to approve, authorise and install.
As an organization owner/admin, you should see on the GitHub App review install page the user who has made this request during the application installation. You can also check the integration_installation_request.create logs in the organization to find the user who has requested the installation

AD B2C integration in FreshWorks SSO with OIDC - Login error

I am integrating AD B2C as Identity provider for the FreshWorks by configuring SSO with OIDC in the Freshworks.
Configuration done in the Azure AD B2C:
Registered an application in the AD B2C Tenant
a. Get the redirect URL from Freshworks SSO with OIDC and added in the Redirect URI in the registered application
b. Id Tokens and Access Tokens check box is selected.
c. Enabled the public client.
d. Generate the client secret for the application
Added Microsoft as external IdP in the AD B2C tenant. Only one external IdP is enabled, local account is not enabled.
Created a SignupSign User flow
Tested the User flow, able to signup and sign-in using Microsoft Account (personal account). JWT token is generated with the claims sub, email, name.
Configuration done in the SSO with OIDC:
Get the ClientId and Client Secret of the Application registered in the AD B2C tenant and added in the SSO with OIDC configuration dialog
Navigate to AD B2C signup sign-in user flow OIDC configuration url and get the authorization_endpoint and token_endpoint, added those two in the SSO with OIDC configuration dialog
set the scopes as openid,email,profile
After doing all the above configurations, a new button is added in the freshworks login page. I have clicked that button, it navigates to the microsoft login page, after providing credentials and accepted the consent, it shows a form with profile information.
On clicking the continue button an account is created in the AD and redirected to the Freshwork page. It shows the below error in the freshworks login page.
The authorization code request is working, AD B2C post the authorization code to the freshwork redirect url. I hope the issue is with the get access token endpoint URL. I have tried the Get access token endpoint from the postman using the authorization code received from the first request, it gives the access token.
The postman screenshot mentioned is showing the IDToken and your freshworks application expect access token. Could you please validate the user flow with access token settings and also use the postman tool to get the access token. Please follow the below document for more requests.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect

Azure AD B2C reuses previous user's token after logout when user changes

We have an application that uses MSAL.js to authenticate customers to their Azure Active Directories via Active Directory B2C. In the future we will introduce other IDPs in the mix and connect them to the B2C as well. B2C is configured via custom policies. SSO session scope is currently set to Tenant.
The issue is that when user logs out of the application (and we call MSAL.js logout) I can see their ID and Access tokens are gone from the browser Local Storage, but they are are still logged in to their Azure AD because of other apps using it. So next time they login to the app B2C will not prompt them for credentials and automatically sign them in as long as they have AAD session active. I understand this is by design for B2C to support SSO, and we want SSO. However is there a way for a new user with different credentials to login fresh after the previous user logs out in the same browser session?
Set the prompt param to login. EG:
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? prompt=login
Or using MSAL.js:
var request = {
prompt: 'login',
}
userAgentApplication.loginRedirect(request);