Logout from external login service (Gmail, facebook) using oauth

Question

I have an ASP.NET MVC 4 application that allows users to login with external service like Gmail.

So far, the user is able to login and navigate inside the application. But The problem is in logout. I have a button to logout that request call the controller action LogOff() inside my AccountController. Inside that method, how can I logout if the user is authenticated via oauth?

With a local account, I use:

public ActionResult LogOff()
        {
            WebSecurity.Logout();
            return RedirectToAction("Login", "Account");
        }

But with oauth I don't see anything similar... I think I need to clear some kind of cookie but I don't know how...

score 2 · Accepted Answer · edited May 23 '17 at 12:28

Based on this, I implemented the following client-side solution (I'm asking previously if the user want to logout also in the provider):

//get accountType, accessToken, redirectUrl and clientID
var accountType = ...;
var accessToken = ...;
var redirectUrl = ...;
var clientID = ...;
$("#logoutConfirmButton").on('click', function () {
    externalLogout();
});

function externalLogout() {
    var url, params;
    if (accountType== "facebook") {
        url = "https://www.facebook.com/logout.php";
        params = {
            next: redirectUrl,
            access_token: encodeURIComponent(accessToken)
        };
        performCallLogout(url, params, accountType);
    } else if (accountType== "google") {
        url = "https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout";
        params = {
            next: redirectUrl
        }
        performCallLogout(url, params, accountType);
    } else if (accountType == "microsoft") {
        url = "https://login.live.com/oauth20_logout.srf";
        params = {
            clientId: clientID,
            redirectUrl: redirectUrl
        }
        performCallLogout(url, params, accountType);
    }
}

function performCallLogout(url, params, accountType) {
    if (accountType == "facebook") {
        window.location.href = url + "?next=" + params.next + "&access_token=" + params.access_token;
    } else if (accountType == "google") {
        window.location.href = url + "?continue=" + params.next;
    } else if (accountType == "microsoft") {
        window.location.href = url + "?client_id=" + params.clientId + "&redirect_url=" + params.redirectUrl;
    }
}

Hope this help someone.

Where and how did you add this, im a total mvc noob(3 hours) and I want to add this since I have the exact same problem — Vrashabh Irde, Jul 25 '13 at 12:50
Thanks! I actually fixed it another way, by directly using FacebookClient(). — Vrashabh Irde, Jul 25 '13 at 14:09

score 1 · Answer 2 · answered Jun 05 '13 at 20:18

1

WebSecurity.Logout(); will log out the user even if they authenticated through OAuth.

If you want to be sure the token does not persist after logout you can call

Session.Remove("facebooktoken"); //Facebook example

The information is from this webpage. Some more details worth reading on there too.

answered Jun 05 '13 at 20:18

Lotok

4,517
1
34
44

Thanks, but that solution of removing the session value didn't work... When I logout in my application and try to login with another account I'm not able, I'm directly logged with the previous account... But if I logout, for instance, in facebook page, I'm able to sign in with another account... And the Google service doesn't have this token in ExtraData by default.... – amp Jun 06 '13 at 16:49
OK, so you want to be able to clear a 3rd party cookie from your app? You know in the account management page you can associate additional accounts if you want to add login methods. – Lotok Jun 06 '13 at 18:46
Yes, I think clearing the cookie should solve the problem... How I can do that? Have you some basic example? – amp Jun 07 '13 at 08:20
There is a SO question here covering removing cookies, you need to know cookie name though. Not sure if it will be possible, depends how FB etc name them. http://stackoverflow.com/questions/5122404/how-do-you-clear-cookies-using-asp-net-mvc-3-and-c – Lotok Jun 07 '13 at 08:25

score 1 · Answer 3 · answered Jun 11 '13 at 04:06

Sounds like you want to log the user out of the source authenticating site? Only the authenticating site can delete/modify its cookies.

The solution will be to redirect the user to the logout page for the authenticating site, or use an API script to log the user out (if one exists for that site.) You could use a form with the "target" attribute to open a new window if you don't want the main browser window to redirect.

FaceBook, for example, has an API call:

FB.logout(function(response) { // user is now logged out });

The MVC FaceBook client has a method GetLogoutUrl, too, which returns a URL you could use on the server side.

Logout from external login service (Gmail, facebook) using oauth

3 Answers3

Linked