How do I log out of Stormpath ID Site with express-stormpath and stormpath-sdk-angularjs?

115 views Asked by At

I have an express-stormpath application that uses Stormpath ID Site. It has this configuration:

app.use(stormpath.init(app, {
  web: {
    idSite: {
      enabled: true,
      uri: '/idSiteResult',
      nextUri: '/'
    },
    login: {
      enabled: true,
      uri: config.login
    },
    logout: {
      enabled: true,
      uri: config.logout
    },
    me: {
      expand: {
        customData: true,
        groups: true
      }
    }
  }
}));

Login works fine, but logout is giving me trouble.

First, I tried logging out with the stormpath-sdk-angularjs built-in endSession()

$auth.endSession();

But I was still logged in.

Digging into express-stormpath, it looks like logout POST requires Accept type text/html for id-site logout. In stormpath-sdk-angularjs, it looks like endSession POST uses application/json.

So I tried logging out with $http.post

$http.post('/logout', null, {
  headers: {
    'Accept': 'text/html'
  }
});

But I get this error:

XMLHttpRequest cannot load https://api.stormpath.com/sso/logout?jwtRequest=[...]. Redirect from 'https://api.stormpath.com/sso/logout?jwtRequest=[...]' to 'http://localhost:9000/idSiteResult?jwtResponse=[...]' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access.

How do I log out of Stormpath ID Site?

2

There are 2 answers

1
Edward Jiang On BEST ANSWER

I work at Stormpath. ID Site requires that you actually redirect the end user to ID Site. I'm not sure why endSession() isn't working, but I'll reach out to our JS team to see if there might be a bug there.

In the meantime, you can use this code (or the equivalent in Angular-specific primitives) to accomplish a logout:

var form = document.createElement('form');
form.method = "POST";
form.action = "/logout";
form.submit();
0
pnovotnak On

This looks like a CORS issue. I believe you need to add at least;

Access-Control-Allow-Origin: https://api.stormpath.com

To the response headers from your server.