How to Logout of Owin Providers?

14,774

Solution 1

As mentioned in the tutorial, the middleWare used use the default authentication type but don't override it.

By using only externalCookie as parameter for Owin you are clearing the cookie for Asp, but not the one used to store the Google provider,

to do so, you will have to get the array of all current cookies. It can be done the easy way like this:

Request.GetOwinContext()
       .Authentication
       .SignOut(HttpContext.GetOwinContext()
                           .Authentication.GetAuthenticationTypes()
                           .Select(o => o.AuthenticationType).ToArray());

This is where it is said on the Tutorial:

The call to UseGoogleAuthentication should be quite obvious why it’s needed.

But the first one toSetDefaultSignInAsAuthenticationType is not as obvious. login middleware normally relies on the external cookie middleware registered before the social login middleware. external cookie middleware, it sets itself as the default signin type. That’s how the social login middleware knows that it should use the external cookie. In this setup there is no external cookie, so we have to manually set the main cookie middleware as the default signin type. The cookie middleware will only issue a cookie if the AuthenticationType matches the one in the identity created by the social login middleware.Looking at the owin external authentication pipeline a socialIn the setup of the

Solution 2

Try setting the cache control headers.

public ActionResult SignOut() {
    var authenticationTypes = new string[] {
        DefaultAuthenticationTypes.ApplicationCookie,  
        DefaultAuthenticationTypes.ExternalCookie 
    };
    AuthenticationManager.SignOut(authenticationTypes);
    // HACK: Prevent user from being able to go back to a logged in page once logged out
    Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
    Response.Cache.SetCacheability(HttpCacheability.NoCache);
    Response.Cache.SetNoStore();
    // now redirect
    return RedirectToAction("Index", "Home");    
}

private IAuthenticationManager AuthenticationManager {
    get {
        return Request.GetOwinContext().Authentication;
    }
}

There is no stopping the user clicking the back button on the browser, unless you try JavaScript, which can be disabled. The user can go back a page and view what was on the previous page, but if they try to click any protected links or refresh the page, they will be redirected to log in.

Share:
14,774

Related videos on Youtube

chobo2
Author by

chobo2

Updated on June 04, 2022

Comments

  • chobo2
    chobo2 over 1 year

    I am following this tutorial yet it does not tell you how to logout. I tried to do

    Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
    
    Request.GetOwinContext().Authentication.SignOut()
    
              Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
    

    You can get the sample code here: https://github.com/AndersAbel/SocialLoginWithoutIdentity

    Just need to add one more action

    public ActionResult SignOut()
     {
           Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
           return RedirectToAction("Index", "Home");
     }
    

    This method plus any one of the 3 lines of I posted above

    My result right now is, I login, I go to secure page and can see it, I then proceed to my signout and then after signout try to go back to the secure page and I am allowed back to that secure page.

    So it actually did not really sign me out.

  • chobo2
    chobo2 over 7 years
    I have authorize tags on my stuff right now that is not the problem. The problem is I followed the tutorial and added a signout method(which has 2 lines of code in it, one of the 3 in my OP and redirect to home page). When I click signout and then go back to a secure page, I still can access that secured page even though I should be actually logged out. It never actually logs me out.
  • chobo2
    chobo2 over 7 years
    This seems to work. I am a bit confused what does clearing only the cookie for ASP do then? What do you mean 100% by "default authentication type but don't override it". I thought External Cookie actually referred to cookies made by something like Google. Not to The Asp cookie.
  • GaelSa
    GaelSa over 7 years
    Sorry, english is not my native language so it may not mean what I want it to mean, but, it's explained in the link on this paragraphe:
  • GaelSa
    GaelSa over 7 years
    arf Internet issue, well, I updated my answer to show where I got the solution in the Tutorial.
  • Heemanshu Bhalla
    Heemanshu Bhalla over 2 years
    it didn't worked in my case. i placed it in login action