Unable to call revoke token and end session endpoints with signOut method

[xabierarima]

Hi,

I'm having problems calling the signOut method. I'm using this method with the revokeTokens argument set to true and I was expecting the application to call both the revoke token endpoint and the end session endpoint, but this is not happening.

As you can see in the following code, when revoketokens is set to true, revokeTokens() is called, then requestTokenRevoke(), and inside this method the TOKEN_RESPONSE_KEY is removed from memory. It then tries to remove the TOKEN_RESPONSE_KEY again, but since it doesn't exist, the application throws an error and stops.

signOut(state, revokeTokens) {
    return __awaiter(this, void 0, void 0, function* () {
      if (revokeTokens) {
        yield this.revokeTokens();
      }
      yield this.storage.removeItem(TOKEN_RESPONSE_KEY);
      if ((yield this.configuration).endSessionEndpoint) {
        yield this.performEndSessionRequest(state).catch((response) => {
          this.notifyActionListers(AuthActionBuilder.SignOutFailed(response));
        });
      }

 revokeTokens() {
    return __awaiter(this, void 0, void 0, function* () {
      yield this.requestTokenRevoke().catch((response) => {
        this.storage.removeItem(TOKEN_RESPONSE_KEY);
        this.notifyActionListers(AuthActionBuilder.RevokeTokensFailed(response));
      });
    });
  }
    });

  }

requestTokenRevoke() {
        return __awaiter(this, void 0, void 0, function* () {
            let revokeRefreshJson = {
                token: this._tokenSubject.value.refreshToken,
                token_type_hint: 'refresh_token',
                client_id: this.authConfig.client_id,
            };
            let revokeAccessJson = {
                token: this._tokenSubject.value.accessToken,
                token_type_hint: 'access_token',
                client_id: this.authConfig.client_id,
            };
            yield this.tokenHandler.performRevokeTokenRequest(yield this.configuration, new RevokeTokenRequest(revokeRefreshJson));
            yield this.tokenHandler.performRevokeTokenRequest(yield this.configuration, new RevokeTokenRequest(revokeAccessJson));
            yield this.storage.removeItem(TOKEN_RESPONSE_KEY);
            this.notifyActionListers(AuthActionBuilder.RevokeTokensSuccess());
        });
    }

This is the error message I get in Xcode:

[keygun-development]

The problem with this is that you're not actually logged in. Yes, you have an access token, but you're not signed in. You can check if you're actually getting signed in in first place by logging something to the console on the callback url page. Unfortunately the demo inside this project also has the same problem. It looks like you're signed in, but you're not.

[xabierarima]

The problem with this is that you're not actually logged in. Yes, you have an access token, but you're not signed in. You can check if you're actually getting signed in in first place by logging something to the console on the callback url page. Unfortunately the demo inside this project also has the same problem. It looks like you're signed in, but you're not.

I don't think this is the problem. I have debugged the method and I can get the access token and the refresh token. In fact if I don`t set revokeTokens to true the logout process works fine.

The problem arises when I set revokeTokens to true.

[keygun-development]

I don't think this is the problem. I have debugged the method and I can get the access token and the refresh token. In fact if I don`t set revokeTokens to true the logout process works fine.

The problem arises when I set revokeTokens to true.

Sorry for replying back to you this late. I've tried to reproduce the issue and can't seem to reproduce it. I've managed to get the oauth flow working, but the logout process works fine for me even when i set revokeTokens to true.

[xabierarima]

I don't think this is the problem. I have debugged the method and I can get the access token and the refresh token. In fact if I don`t set revokeTokens to true the logout process works fine.
The problem arises when I set revokeTokens to true.

Sorry for replying back to you this late. I've tried to reproduce the issue and can't seem to reproduce it. I've managed to get the oauth flow working, but the logout process works fine for me even when i set revokeTokens to true.

Yes, the flow works fine for me too, but when I debug the application I see that the revoke token endpoint is called but the end session endpoint is not.

Can you check if this is happening to you?

[keygun-development]

I don't think this is the problem. I have debugged the method and I can get the access token and the refresh token. In fact if I don`t set revokeTokens to true the logout process works fine.
The problem arises when I set revokeTokens to true.

Sorry for replying back to you this late. I've tried to reproduce the issue and can't seem to reproduce it. I've managed to get the oauth flow working, but the logout process works fine for me even when i set revokeTokens to true.

Yes, the flow works fine for me too, but when I debug the application I see that the revoke token endpoint is called but the end session endpoint is not.

Can you check if this is happening to you?

I can confirm that I have the same result. I never get redirected to the /endsession route (tested on ios). What you can try to do is the following:

Where you call the logout method

Auth.Instance.signOut();
Auth.Instance.endSessionCallback();

and then you can replace the current route with for instance a login route. I'm using vue so for me it would be:

router.replace('/login')

The final result would be something like this:

<ion-item button @click="signOut()">
    <ion-label style="color: red;">Logout</ion-label>
    <ion-ripple-effect type="bounded"></ion-ripple-effect>
</ion-item>

<script setup lang="ts">
import {
    IonItem,
    IonLabel,
    IonRippleEffect,
} from "@ionic/vue";
import router from "../router";

const signOut = () => {
    Auth.Instance.signOut();
    Auth.Instance.endSessionCallback();
    router.replace('/login')
}
</script>