+ Start a Discussion
jlcoverityjlcoverity 

Issues with Oauth2 revoke

Hi everyone,

 

I'm developing a web app (using node.js/express and angular.js) that integrates with SFDC. I'm using oauth2 and the login dance is working fine. However, I want to include a logout mechanism as well. Here's my logout code: 

 

app.get('/logout', function(req,res) {
   var callback = function() {
       res.redirect('/');
   };

   if(req.session.oauth) {

       var uri = req.session.oauth.instance_url + '/services/oauth2/revoke?token='+req.session.oauth.access_token;
       var reqOpts = {
           uri : uri,
           method: 'GET'
       };
       request(reqOpts,function(err,res) {
          if(err)
           console.log('ERROR' + err.message);
          else {
            console.log('Returned from oauth2 revoke with code ' + res.statusCode);
            callback();
          }
       });
   }
});

When it returns, the callback redirects to "/" which basically checks to see if req.session.oauth is null. If it is null, then it renders my login.ejs page (a login page w/a button to "Login with Salesforce" to initiate the oauth dance), otherwise it renders my index.ejs page.  

 

app.get('/', function(req,res) {
    console.log(req.session.oauth);
    if(!req.session.oauth)
        res.render("login");
    else
        res.render("index");
});

 

I'm getting a status code of 200 back from the call to /services/oauth2/revoke, but it always renders the index page and not the login page. The output from the console.log shows that the oauth session definitely not null and the access token is still present. I am clearly missing something pretty basic here, but can't quite put my finger on it. 

jlcoverityjlcoverity
Need to add a few more bits of information to complete the picture here.

1) After the logout call, I can't access data from SFDC, so technically it worked, but the session data is still there.

2) If I change it to route directly to the login page after logout, if I try to login again, I get a "Server Not Found" error - can't find the server at alvmisw31.prod.quest.corp.

3) I'm using "full" as the oauth scope.
jlcoverityjlcoverity

Well...I came up with a workaround, basically stealing the concept from the AngularJS Mobile Pack where, not only do you need to call /services/oauth2/revoke but then need to make a request to /secur/logout.jsp (I used the hidden iframe concept that is in the Mobile Pack sample code). I also, to fully clear things out specifically set req.session.oauth = null. So, it is "working", but I don't think this is very clean. I was a bit surprised actually to see that using a hidden iframe to call /secur/logout.jsp was how this was done using the Mobile Pack. 

 

I would love to get some feedback. I will admit, I still have two left feet when it comes to the oauth dance.