Redirect to provider /logout to clear http-only cookies

Author: dmitrizagidulin

README.md

@@ -93,3 +93,8 @@ After `login()` is successful, the following variables are set:
 
 ##### logout
 
+`logout()`
+
+Clears the current user and tokens, and does a url redirect to the current
+RP client's provider's 'end session' endpoint. A redirect is done (instead of an
+ajax 'get') to enable the provider to clear any http-only session cookies.

demo/index.html

@@ -10,7 +10,7 @@
   <link rel="stylesheet" href="./demo.css" />
   <!-- Relying Party lib, exports a global var: SolidAuth -->
   <!--<script src="./solid-client.min.js"></script>-->
-  <script src="https://solid.github.io/releases/solid.js/solid-client-0.24.0-oidc.min.js"></script>
+  <script src="https://solid.github.io/releases/solid.js/solid-client.min.js"></script>
 </head>
 <body>
 <div class="container">
@@ -59,15 +59,15 @@ <h5>App body</h5>
   // Trigger a currentUser() check on page load, in case user is logged in already
   document.addEventListener('DOMContentLoaded', function () {
     init()
-    SolidClient.currentUser()
+    SolidClient.auth.currentUser()
       .then(function (webId) {
         if (webId) { loginSuccess(webId) }
       })
   })
 
   // This is bound to the Login button
   function login () {
-    SolidClient.login()
+    SolidClient.auth.login()
       .then(function (webId) {
         loginSuccess(webId)
       })
@@ -97,15 +97,8 @@ <h5>App body</h5>
   }
 
   function logout () {
-    SolidClient.logout()
-      .then(function () {
-        console.log('logged out')
-        hide('logoutDiv')
-        setField('webId', SolidClient.auth.webId)
-      })
-      .catch(function (err) {
-        console.error('Error logging out: ', err)
-      })
+    console.log('Logging out...')
+    SolidClient.auth.logout()
   }
 
   function getRootAcl () {

package.json

@@ -56,7 +56,7 @@
   },
   "homepage": "https://github.com/solid/solid-auth-oidc",
   "dependencies": {
-    "oidc-rp": "git://github.com/anvilresearch/oidc-rp.git#rc-003"
+    "oidc-rp": "git://github.com/anvilresearch/oidc-rp.git#rc-004"
   },
   "devDependencies": {
     "babel-cli": "^6.18.0",
@@ -65,6 +65,7 @@
     "babel-preset-es2015": "^6.18.0",
     "chai": "^3.5.0",
     "chai-as-promised": "^6.0.0",
+    "dirty-chai": "^1.2.2",
     "localstorage-polyfill": "^1.0.1",
     "mocha": "^3.2.0",
     "nyc": "^10.2.0",

src/index.js

@@ -60,10 +60,14 @@ class ClientAuthOIDC {
 
   /**
    * Returns the current window's URI
-   * @return {string}
+   *
+   * @return {string|null}
    */
   currentLocation () {
     let window = this.window
+
+    if (!window || !window.location) { return null }
+
     return window.location.href
   }
 
@@ -85,10 +89,30 @@ class ClientAuthOIDC {
     }
   }
 
+  /**
+   * Returns the 'end session' api endpoint of the current RP client's provider
+   * (e.g. 'https://example.com/logout'), if one is available.
+   *
+   * @return {string|null}
+   */
+  providerEndSessionEndpoint () {
+    let rp = this.currentClient
+
+    if (!rp || !rp.provider || !rp.provider.configuration) { return null }
+
+    let config = rp.provider.configuration
+
+    if (!config.end_session_endpoint) { return null }
+
+    return config.end_session_endpoint
+  }
+
   /**
    * Extracts and returns the `state` query or hash fragment param from a uri
+   *
    * @param uri {string}
-   * @param uriType {string} 'hash' or QUERY
+   * @param uriType {string} 'hash' or 'query'
+   *
    * @return {string|null} Value of the `state` query or hash fragment param
    */
   extractState (uri, uriType = HASH) {
@@ -122,6 +146,7 @@ class ClientAuthOIDC {
 
   /**
    * @param providerUri {string}
+   *
    * @return {Promise<RelyingParty>}
    */
   loadOrRegisterClient (providerUri) {
@@ -210,12 +235,24 @@ class ClientAuthOIDC {
     this.idToken = null
   }
 
+  /**
+   * Clears the current user and tokens, and does a url redirect to the
+   * current RP client's provider's 'end session' endpoint.
+   * A redirect is done (instead of an ajax 'get') to enable the provider to
+   * clear any http-only session cookies.
+   */
   logout () {
     this.clearCurrentUser()
 
-    if (!this.currentClient) { return Promise.resolve(null) }
+    let logoutEndpoint = this.providerEndSessionEndpoint()
+
+    if (!logoutEndpoint) { return }
+
+    let logoutUrl = new URL(logoutEndpoint)
+
+    logoutUrl.searchParams.set('returnToUrl', this.currentLocation())
 
-    return this.currentClient.logout()
+    this.redirectTo(logoutUrl.toString())
   }
 
   /**
@@ -353,19 +390,26 @@ class ClientAuthOIDC {
 
   /**
    * Validates the auth response in the current uri, initializes the current
-   * user's ID Token and Access token, and returns the
+   * user's ID Token and Access token, and returns the user's WebID
+   *
    * @param client {RelyingParty}
+   *
    * @throws {Error}
-   * @returns {Promise<string>}
+   *
+   * @returns {Promise<string>} Current user's web id
    */
   initUserFromResponse (client) {
     return client.validateResponse(this.currentLocation(), this.localStorage)
       .then(response => {
         this.idToken = response.params.id_token
         this.accessToken = response.params.access_token
+
+        this.clearAuthResponseFromUrl()
+
         return this.extractAndValidateWebId(response.decoded)
       })
       .catch(error => {
+        this.clearAuthResponseFromUrl()
         if (error.message === 'Cannot resolve signing key for ID Token.') {
           console.log('ID Token found, but could not validate. Provider likely has changed their public keys. Please retry login.')
           return null
@@ -377,7 +421,9 @@ class ClientAuthOIDC {
 
   /**
    * @param idToken {IDToken}
+   *
    * @throws {Error}
+   *
    * @return {string}
    */
   extractAndValidateWebId (idToken) {
@@ -386,6 +432,35 @@ class ClientAuthOIDC {
     return webId
   }
 
+  /**
+   * Removes authentication response data (access token, id token etc) from
+   * the current url's hash fragment.
+   */
+  clearAuthResponseFromUrl () {
+    let clearedUrl = this.currentLocationNoHash()
+
+    this.replaceCurrentUrl(clearedUrl)
+  }
+
+  currentLocationNoHash () {
+    let currentLocation = this.currentLocation()
+    if (!currentLocation) { return null }
+
+    let currentUrl = new URL(this.currentLocation())
+    currentUrl.hash = ''  // remove the hash fragment
+    let clearedUrl = currentUrl.toString()
+
+    return clearedUrl
+  }
+
+  replaceCurrentUrl (newUrl) {
+    let history = this.window.history
+
+    if (!history) { return }
+
+    history.replaceState(history.state, history.title, newUrl)
+  }
+
   /**
    * @param providerUri {string}
    * @param [options={}]