topic Re: Single Logout, using Log Out button from the Hub in Integration, Extension & APIs

Single Logout, using Log Out button from the Hub

vegard_bakke — Sat, 16 Nov 2024 17:19:37 GMT

The Authentication API ‒ Qlik Sense for developers article is saying:

In some cases, it might make sense for the authentication module to act as a logout module as well.

How do you catch a Sense initiated logout?
That is, when the user is pressing the Log Out button in the Hub. (The one hidden under your username.)

Single-logout has been solved with SAML authentication. But how do you catch this when using a custom authentication module (using the ticket API)?

Technically, this is a security problem. Since the user thinks she is logged out. But She still has a live session with the SingleSignIn module, which will just log you in once more.

Re: Single Logout, using Log Out button from the Hub

Anonymous — Thu, 01 Apr 2021 07:35:06 GMT

Interesting question, I would like to know if there is a way to do it.

Re: Single Logout, using Log Out button from the Hub

Damien_V — Thu, 01 Apr 2021 08:28:28 GMT

Hi @vegard_bakke

You're correct, there is no way to do that out of the box.

The only way I can think of would be to use a reverse proxy and catch when the user uses the logout button with a rewrite rule to redirect to a custom page in the authentication module used to log out from the module.

Re: Single Logout, using Log Out button from the Hub

vegard_bakke — Thu, 01 Apr 2021 10:41:19 GMT

Ouch. I know what my IdP will say about this. They've already complained about Qlik not clearing the client side cookies when logging out. (Even though the session value is terminated server side.)

Should we log this as a security issue?

Long term solution
It should be hard to fix. One could add a Authentication module logout URI under Ticket method under virtual proxy in QMC.

This is what happens with SAML logins, after all.

Short term solution
In the mean time, I guess having the reverse proxy hijack GET https://<server>/<v.proxy>/qps/logout might do the trick.

Let the authentication module clear the session cookie. (Possibly after first running DELETE https://<server>/<v.proxy>/qps/user, with the user's session cookie, although the browser should have already done this.) And finally let the request return a redirect to a nice landing/login page. (Since the standard Qlik logout page is now hijacked.)

Re: Single Logout, using Log Out button from the Hub

Kalkumar — Fri, 16 Jul 2021 05:57:42 GMT

Hi @vegard_bakke ,

If my understanding is correct you have already developed a custom extension to logout the users from the QlikApp. However, you still have the session active.

Can you please help how your Html and JS code look like.

I have been trying to achieve this but, not luck yet. Also, posted my query https://community.qlik.com/t5/Integration-Extension-APIs/Extension-to-logout-a-user-from-Qliksense/m-p/1822129#M15241

Thanks

Re: Single Logout, using Log Out button from the Hub

vegard_bakke — Fri, 16 Jul 2021 06:43:41 GMT

Sort of. I have developed an extension (i.e. a button) that lets you log in and out in an iframe environment.

But that was done for a client, so the source code is theirs, and not mine to give, sorry.

However, your are on the right track (in your other post). I'll follow you up there. 😊

Vegard