function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
KellymtKellymt 

How to sign out a Connected App when user signs out of Salesforce.com

We have developed a connected app in C# which we have exposed as a web tab in salesforce.com and which authenticates via AOuth.
Users login to salesforce.com click on the web tab and out application authenticates with AOuth and can make queries to salesforce.com.

The question I have is how to log out/ invalidate the AOuth token of out applicaiton when the user logs out of salesforce.com?
If we do not do that our application will pratically remain logged in even after the user logs out of salesforce.com until the session expired due to inactivity which is a security risk.
 
Best Answer chosen by Kellymt
KellymtKellymt
What has been suggested by our Salesforce consultant is to do one of the bellow:
1. Have a session timeout on our application. However would still make our application vulnerable but only for a limited period of time.
2. Have a custom logout link so that when the user logs out of Salesforce he is redirected to the custom logout link configured in Salesforce which should log the user out. This approach seems to me too complicated.

I am planning to use the composite app way of passing the current user's session id and salesforce url as a query string parameters to my application.

If anyone has a better idea please share it with me.

All Answers

Gaurav KheterpalGaurav Kheterpal
You can invalidate the refresh token using any of the following approaches.
  • Refresh token is valid until revoked. This is the default behavior, and specifies that the token may be used indefinitely, unless revoked by the user or administrator. Revoke tokens in a user’s detail page under OAuth Connected Apps, or in the OAuth Connected Apps Usage report.
  • Immediately expire refresh token. This setting specifies the token is immediately invalid. The user may use the current session (access token) already issued, but cannot use the refresh token to obtain any new sessions.
  • Expire refresh token if not used for n. This setting invalidates the token if it is not used for the amount of time specified. For example, if the field value states 7 days, and the refresh token is not exchanged for a new session within seven days, the next attempt to use the token fails. The token expired and can no longer generate new sessions. If the refresh token is successfully used before 7 days, monitoring the period of inactivity resets, and the token is valid for another 7 days.
  • Expire refresh token after n. This setting invalidates the refresh token after a fixed amount of time. For example, if the policy states 1 day, the refresh token may be used to obtain new sessions for 24 hours. After 24 hours, the token can not be used to obtain new sessions.
What you are refering to is scenario #2 so if you chose the setting correctly, it's not a security risk.

If my answer helps resolve your query, please mark it as the 'Best Answer' to benefit others and improve the overall quality of Discussion Forums.

Gaurav Kheterpal
Certified Force.com Developer| Developer Forums Moderator| Dreamforce Speaker

    


 
KellymtKellymt
Thank you for your reply and the useful information. 
I do not think that this will solve my problem though. 
Let me explain one more time what my problem is:
1. User logs in to salesforce.com
2. User clicks on a custom web tab and our application logs in to salesforce.com establishing a separate session via OAuth (not via the refresh token). Our applicaiton is in an iframe.
3. User logs out of salesforce.com and walks away from the computer.
4. A malicious use sits on the computer and gets to use our application because its session is not expired yet and the user did not log out of it.

Please let me know if I need to explain further. 
KellymtKellymt
What has been suggested by our Salesforce consultant is to do one of the bellow:
1. Have a session timeout on our application. However would still make our application vulnerable but only for a limited period of time.
2. Have a custom logout link so that when the user logs out of Salesforce he is redirected to the custom logout link configured in Salesforce which should log the user out. This approach seems to me too complicated.

I am planning to use the composite app way of passing the current user's session id and salesforce url as a query string parameters to my application.

If anyone has a better idea please share it with me.
This was selected as the best answer