vuex-oidc: Silent sign-out does not invalidate session cookies

I am trying to get my webapp to silently sign-out without going through the IdP (Keycloak) by calling unsetOidcAuth.

This results in the app state being reset correctly, however it appears that the session cookies created by the IdP at login time are not being removed, causing an “auto-signin” event (no authentication page from the IdP is displayed) when accessing the application a second time.

The session cookies are not available in the context of the application, so I am unable to reset them programmatically after calling unsetOidcAuth, and performing a sign-out using signOutOidc triggers a redirect to the application landing page (as configured in the OIDC settings).

Is it possible to completely destroy the authentication session on the client, without going through the IdP? If not, could signOutOidc accept a redirect_uri so that its behaviour could be customized depending on where the sign-out action is triggered from?

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

@perarnborg yup, that seems to have done it. Dispatching signOutOidcSilent removes the user from storage and kills the active session so any request to resources that require authentication will now trigger a new login flow. Thanks!

+2
esune on Sep 2, 2020

Ok I have an idea of what can be missing in my implementation. I will provide a patch as soon as I can.

+1
perarnborg on Sep 1, 2020

Silent signout at the provider is not yet supported. It has been suggested to add support (#57) but I am not sure when I will have the time to look at that.

+1
perarnborg on Aug 5, 2020
Read more comments on GitHub
← node-csgo-web-tradebot: Same trade problem pursue
luascript: Problem with windows build →