Hi guys, this time i bring you an authentication problem. I have this logout flow that works fine in web emulation.
logout flow:
Logs out a specific user from the application.
assign the url that comes from the DoLogout_DS
For some reason, when i get redirected to the login page after logging out (should have the form so i can populate username and password), the application always log me back in.
I think it might be because of the web view that is opened to log in for the first time, since when i close app and reopen it the session expires. How can i handle this?
Hi @João Espinheira,
I suspect your logout flow only logs the user out of OutSystems, but does NOT log them out of Azure AD.
So this is what happens:
Closing & reopening the app “fixes” it because the WebView session/cookies are destroyed, which confirms the above flow.
So basic rule is:
Logging out of OutSystems is not equal to logging out of Azure AD. You must explicitly log out of both.
Solution:
Step 1: Log out of OutSystems (keep this). This part is correct.
Step 2: Log out of Azure AD explicitly (This is the fix), After logging out of OutSystems, redirect the user to Azure AD’s logout endpoint:
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/logout ?post_logout_redirect_uri={ENCODED_RETURN_URL} &prompt=login
Hope this helps,
Cheers,
Saugat
it does. the problem stands with the webview cookies. I dont know how to clear them. Everything i try seems to not work
Ensure you are redirecting to logout url wih prompt=login.
If the issue still persists, have a separate screen for Logout with single link in the middle of the screen to "Go back to login" and provide the new logout screen name in the ENCODED_RETURN_URL.?post_logout_redirect_uri={ENCODED_RETURN_URL}
i do that, but since my login is from authauth, when it gets there, the cached values from login still persist
Hello @João Espinheira
You’re probably logging out only from the OutSystems session, not from the Azure session that lives in the webview.
In mobile, that means when you hit the login page again, Azure still has a valid session and performs SSO automatically, so it looks like logout didn’t work.
Check this points:
1. Call the IdP logout endpoint as part of logout, not only the OutSystems logout. In OutSystems, external-IdP logout should redirect the user to the provider logout flow as well.
2. Clear the webview/browser session if you are using an embedded webview, because the cookie jar may still be there after app logout.
3.C heck persistent login settings in OutSystems mobile auth. In OutSystems persistent login is enabled by default for mobile apps and its duration is configurable, so even after logout cycles this can affect what you see.
So to fix this you need to OutSystems logout + Azure logout + clear webview cookies. Just redirecting back to the login screen is normally not enough.
how can i clear webview cookies?
You can try using this Forge component: https://www.outsystems.com/forge/component-overview/1558/inappbrowser-plugin-o11
Hi @João Espinheira ,
Because you are using SSO, you just logout OS, when you log in again, it's redirect to SSO and passed a SSO log in . So you must log out of SSO before you log out of OS.
For Logout SSO, i remember we have a URL from the provider as Saugat mentioned.