How to actually sign out using deno_kv_auth
Not sure if bug or feature, but I have problems signing out from deno_kv_auth. I'm using Auth0 for testing, but actually the kv auth live demo at https://kv-oauth.deno.dev/ has the same issue, using GitHub provider.
Basically, when first visiting the demo, and signing in, you get the GitHub login screen to authorize the sign in. All ok, sign in works.
But then you sign out. Yes the session is cleared from the local server, but if you then click sign in again, you don't get the GitHub/Auth0 login screen, but instead get immediately authenticated with the previous credentials, and returned with a new successfully authenticated session.
This is a problem of course, as there is no way to switch users, or sign out as you would do when using the site from a borrowed computer or whatever.
Is there a way to completely sign out, so that I can again choose to accept or reject the authentication from the actual GitHub/Auth0/other provider oauth screen?
5 Replies
The documentation here implies there would be a sign out process (perhaps sending a revoke call of sorts to the auth provider?), but it just deletes the cookie session locally on the server and nothing else. Is this something that is supposed to be manually handled? https://github.com/denoland/deno_kv_oauth/blob/main/lib/sign_out.ts
GitHub
deno_kv_oauth/lib/sign_out.ts at main · denoland/deno_kv_oauth
High-level OAuth 2.0 powered by Deno KV. Contribute to denoland/deno_kv_oauth development by creating an account on GitHub.
Okay, it appears to work as desired at least with Auth0, if you manually pass the prompt url parameter like so:
const response = signIn(request, oauthConfig, { urlParams: {prompt: "login"}});
This causes the login screen to appear when signing in after sign out. However, this seems like a potential security issue, as the session is not actually revoked upon signout. This workaround just forces a new login upon sign in even though there is an old leftover authentication left danglingHi there! Yes, this is something I have not yet addressed in the module. I haven’t yet integrated session revocation into the sign-out process as I haven’t yet flushed out a single solution that works equally well for all providers. I have some time in the coming days and will look into this.
Would you be able to create a GitHub issue for this?
Okay, understood! Thank you so much.
I can make an issue just a sec. Just learning oauth stuff so I wasn't sure if it was working as intended or not.
GitHub
Implement session revocation · Issue #267 · denoland/deno_kv_oauth
Signout function here only deletes the session locally on the server, but does not actually revoke the authentication with the provider: https://github.com/denoland/deno_kv_oauth/blob/main/lib/sign...