Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fully sign out #5

Open
sabcio opened this issue Nov 9, 2011 · 2 comments
Open

fully sign out #5

sabcio opened this issue Nov 9, 2011 · 2 comments

Comments

@sabcio
Copy link

sabcio commented Nov 9, 2011

Do you maybe know how to sign out from oauth provider so I could sign in with another user? I tried reseting session but it doesn't work. It keeps signing me in with the the same username and password.
One way is to go the the provider app and sign out, but I don't like that and would rather let my users sign out of the client app.
@panupan
Copy link
Contributor

panupan commented Nov 10, 2012

You can redirect the user directly to the provider's sign out URL.

https://github.com/panupan/sso-devise-omniauth-client/blob/master/app/controllers/sessions_controller.rb

class SessionsController < Devise::SessionsController
  def new
    redirect_to user_omniauth_authorize_path(:josh_id)
  end

  def destroy
    sign_out current_user
    redirect_to OmniAuth::Strategies::JoshId::SIGN_OUT_URL
  end
end

There might be a better way that I'm not aware of. I also noticed if you log out the Provider first, the Clients don't get automatically signed out.

@gautamrege
Copy link
Member

@panupan - I don't like the idea of the redirect as the provider is exposed
and the user experience is lost if we show another app url. Btw, thanks for
the earlier pull requests :)

Well, there were a couple of ideas I was playing around with - not totally
happy with either.

One was to send a json request on any client app sign_out (instead of a
redirect) to the provider app to destroy the user session . Any call to the
provider from a client app after that would automatically redirect to
sign_in. That however brings about the problem that other signed_in client
apps would not know if a user has been signed up until they contact the
provider. So, we need to have a heartbeat with the provider to know if the
user has been signed out i.e. forceful sign_out.

Another idea was to keep the access token as a short-lived token (not 2
weeks as is the default, but say 2 minutes or 30 seconds). Client apps keep
sending out refresh_token requests and they automatically serve as the
heatbeat. I have not implemented it yet - but it does have some potential
if you are ok with the network bandwidth being used for this.

On Sun, Nov 11, 2012 at 4:58 AM, panupan [email protected] wrote:

You can redirect the user directly to the provider's sign out URL.

https://github.com/panupan/sso-devise-omniauth-client/blob/master/app/controllers/sessions_controller.rb

class SessionsController < Devise::SessionsController
def new
redirect_to user_omniauth_authorize_path(:josh_id)
end

def destroy
sign_out current_user
redirect_to OmniAuth::Strategies::JoshId::SIGN_OUT_URL
endend

There might be a better way to do it which I'm not aware of. Also, I
noticed if you log out the Provider first, the Clients don't get
automatically signed out, not sure what to do about that either.


Reply to this email directly or view it on GitHubhttps://github.com//issues/5#issuecomment-10261289.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gautamrege @sabcio @panupan