I need to work on a requirement where if a user has logged into my application from a browser (IE8/9 or Firefox) and he opens a new tab of the same browser and logs in again, then my application should log out the user from previous tab.
Related
I created a static Web site using Azure Static Web Apps (under the Free plan for now -- not sure if that's relevant to the issue at hand.) I can access the Web site through an ***.azurestaticapps.net URL.
I then tried to test Azure Active Directory authentication per Microsoft's instruction from this page:
https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization
My problem is that logging out does not seems to work as I would expect on a normal Web site. I could log out, but when I tried to login again (hoping to use a different Azure AD account,) the Microsoft login screen flashes by and I got logged right back in with the user that I just logged out from. Switching to a different tab doesn't help.
Steps to repro:
Navigate to /.auth/login/aad and login using a Microsoft Account. Say NO to 'Stay signed in?' prompt.
Navigate to /.auth/me to see the basic information on the logged in account to prove that I'm in the logged in state.
Navigate to /.auth/logout to logout. Immediately, navigate to /.auth/me again to confirm that my static Web App regards me as 'logged out.' I'd see this:
{"clientPrincipal": null}
Navigate to /.auth/login/aad again. Microsoft login page flashes by, and I am logged right back in with the previously logged out user.
Things that sort of worked
Any of the two actions below alone seems to make the browser forget my logged-in state:
Close the whole browser and relaunch it. I'd get asked to pick the previous user (and then enter the password) or choose a new user. This sort of works but reminds me of some Web sites 15-20 years ago that said 'For security reasons, please don't forget to close your entire browser after logging out from this one tab.'
Open a new tab in the same browser, and navigate to hotmail.com. That tab will enjoy my logged-in state from the Static Web Apps tab. I'd see my mails right away. Then I log out from the hotmail.com tab, switch back to ***.azurestaticapps.net tab and see that I am still logged into my Static Web App. Good! Then if I log out from my Static Web App and try to log back in, it has forgotten my logged-in state this time. In other words, logging out from the hotmail.com tab is somehow more powerful.
I also tested /.auth/login/google too and the same problem arises! So the issue seems to be on the Azure Static Web Apps side, not how idPs handle their logout process.
Am I missing anything obvious?
I am using google calendar API to add events to the calendar. But the Auth pop-up window is blocked by the browser for many times. Is there anyway I can open it as a separate browser tab rather than a pop-up.
Because this kills the UX experience for the users. I am having many complains from users.
we are using keycloak 3.4.2 to try to integrate SSO behavior (via SAML). I configured two clients in the same realm; if user logins to clientA and he opens a new tab in the same browser and logins to clientB he is successfully automatically logged in.
But we are trying to integrate the following behavior:
- from ipad user opens safari and goes to site A
- he logins to site A successfully
- from site A he clicks an "universal link" to open an app previously installed which is simply a webview to site B.
Current result is the user lands in the login page of the app.
Expected result is the user gets automatically logged in.
We are using iOS 11 for frontend. Both site A and site B have a backend side written in Java6.
Our idea was to reuse all cookies from site A to app with webview of site B by using an iOS widget "SFAuthenticationSession"; but once logged in the only cookie available is JSESSIONID which is not enough I think.
In my tests when I am using only a browser with different tabs, for each different tab I have a different JSESSIONID so I expect to have a different JSESSIONID when I am landing to site B.
Our approach has been taken from current source code:
https://github.com/dvdhpkns/SFAuthenticationSession-example
So what can we do to accomplish our task ?
What are we missing ? Do we need any other tokens/cookie ? How to retrieve them ? And when ?
I hope I clearly explained issue, sorry but authentication issues are not my strong point.
I was playing with inspect element the other day and what I did was I opened facebook in two tabs and logged out from the other tab. As soon as I returned back to the logged in tab, it showed me Login modal. How did it check instantly as no service request was made to allow them to check if the user has logged out.
Same happens with manual cookie clearance from Application tab in the developers console and also if you deactivate your account from app, the website open on your laptop shows to login. How does that happen so instantly? Is that a Websocket?
I am using webservice in my app. I have set one button login with facebook button, that drag user to safari browser and open facebook login page. Here I have not used Facebook API, all things are coming from PHP side,
now I need the user back to application which is in background when he successfully Logs in..
I have set my URL schemes as "myapp" and when user logs in successfully in PHP side I have set url to open is "myapp://" so I can get back to my app.
But here problem is when ever url "myapp://" gets called it automatically converted to "http://domainname.myapp://" so safari is not letting the user to go back to application and it stays on the bowser.
where I am getting wrong?