How do I log out of Stormpath ID Site with express-stormpath and stormpath-sdk-angularjs?

Question

I have an express-stormpath application that uses Stormpath ID Site. It has this configuration:

app.use(stormpath.init(app, {
  web: {
    idSite: {
      enabled: true,
      uri: '/idSiteResult',
      nextUri: '/'
    },
    login: {
      enabled: true,
      uri: config.login
    },
    logout: {
      enabled: true,
      uri: config.logout
    },
    me: {
      expand: {
        customData: true,
        groups: true
      }
    }
  }
}));

Login works fine, but logout is giving me trouble.

First, I tried logging out with the stormpath-sdk-angularjs built-in endSession()

$auth.endSession();

But I was still logged in.

Digging into express-stormpath, it looks like logout POST requires Accept type text/html for id-site logout. In stormpath-sdk-angularjs, it looks like endSession POST uses application/json.

So I tried logging out with $http.post

$http.post('/logout', null, {
  headers: {
    'Accept': 'text/html'
  }
});

But I get this error:

XMLHttpRequest cannot load https://api.stormpath.com/sso/logout?jwtRequest=[...]. Redirect from 'https://api.stormpath.com/sso/logout?jwtRequest=[...]' to 'http://localhost:9000/idSiteResult?jwtResponse=[...]' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access.

How do I log out of Stormpath ID Site?

Edward Jiang · Accepted Answer · 2016-12-20T00:33:18.107

1

I work at Stormpath. ID Site requires that you actually redirect the end user to ID Site. I'm not sure why endSession() isn't working, but I'll reach out to our JS team to see if there might be a bug there.

In the meantime, you can use this code (or the equivalent in Angular-specific primitives) to accomplish a logout:

var form = document.createElement('form');
form.method = "POST";
form.action = "/logout";
form.submit();

edited Dec 20 '16 at 00:33

answered Dec 19 '16 at 21:35

Edward Jiang

2,403
18
13

If you use csurf on your express server, also make sure to send the XSRF-TOKEN (and not the _csrf cookie) with the form. – ryan Dec 20 '16 at 00:31

score 0 · Answer 2 · answered Dec 19 '16 at 21:10

0

This looks like a CORS issue. I believe you need to add at least;

Access-Control-Allow-Origin: https://api.stormpath.com

To the response headers from your server.

answered Dec 19 '16 at 21:10

pnovotnak

4,341
2
27
38

How do I log out of Stormpath ID Site with express-stormpath and stormpath-sdk-angularjs?

2 Answers2