How to Logout of Owin Providers?
Solution 1
As mentioned in the tutorial, the middleWare used use the default authentication type but don't override it.
By using only externalCookie as parameter for Owin you are clearing the cookie for Asp, but not the one used to store the Google provider,
to do so, you will have to get the array of all current cookies. It can be done the easy way like this:
Request.GetOwinContext()
.Authentication
.SignOut(HttpContext.GetOwinContext()
.Authentication.GetAuthenticationTypes()
.Select(o => o.AuthenticationType).ToArray());
This is where it is said on the Tutorial:
The call to UseGoogleAuthentication should be quite obvious why it’s needed.
But the first one toSetDefaultSignInAsAuthenticationType is not as obvious. login middleware normally relies on the external cookie middleware registered before the social login middleware. external cookie middleware, it sets itself as the default signin type. That’s how the social login middleware knows that it should use the external cookie. In this setup there is no external cookie, so we have to manually set the main cookie middleware as the default signin type. The cookie middleware will only issue a cookie if the AuthenticationType matches the one in the identity created by the social login middleware.Looking at the owin external authentication pipeline a socialIn the setup of the
Solution 2
Try setting the cache control headers.
public ActionResult SignOut() {
var authenticationTypes = new string[] {
DefaultAuthenticationTypes.ApplicationCookie,
DefaultAuthenticationTypes.ExternalCookie
};
AuthenticationManager.SignOut(authenticationTypes);
// HACK: Prevent user from being able to go back to a logged in page once logged out
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
// now redirect
return RedirectToAction("Index", "Home");
}
private IAuthenticationManager AuthenticationManager {
get {
return Request.GetOwinContext().Authentication;
}
}
There is no stopping the user clicking the back button on the browser, unless you try JavaScript, which can be disabled. The user can go back a page and view what was on the previous page, but if they try to click any protected links or refresh the page, they will be redirected to log in.
Related videos on Youtube
chobo2
Updated on June 04, 2022Comments
-
chobo2 over 1 year
I am following this tutorial yet it does not tell you how to logout. I tried to do
Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie); Request.GetOwinContext().Authentication.SignOut() Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
You can get the sample code here: https://github.com/AndersAbel/SocialLoginWithoutIdentity
Just need to add one more action
public ActionResult SignOut() { Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie); return RedirectToAction("Index", "Home"); }
This method plus any one of the 3 lines of I posted above
My result right now is, I login, I go to secure page and can see it, I then proceed to my signout and then after signout try to go back to the secure page and I am allowed back to that secure page.
So it actually did not really sign me out.
-
chobo2 over 7 yearsI have authorize tags on my stuff right now that is not the problem. The problem is I followed the tutorial and added a signout method(which has 2 lines of code in it, one of the 3 in my OP and redirect to home page). When I click signout and then go back to a secure page, I still can access that secured page even though I should be actually logged out. It never actually logs me out.
-
chobo2 over 7 yearsThis seems to work. I am a bit confused what does clearing only the cookie for ASP do then? What do you mean 100% by "default authentication type but don't override it". I thought External Cookie actually referred to cookies made by something like Google. Not to The Asp cookie.
-
GaelSa over 7 yearsSorry, english is not my native language so it may not mean what I want it to mean, but, it's explained in the link on this paragraphe:
-
GaelSa over 7 yearsarf Internet issue, well, I updated my answer to show where I got the solution in the Tutorial.
-
Heemanshu Bhalla over 2 yearsit didn't worked in my case. i placed it in login action