Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
The Authentication API ‒ Qlik Sense for developers article is saying:
In some cases, it might make sense for the authentication module to act as a logout module as well.
How do you catch a Sense initiated logout?
That is, when the user is pressing the Log Out button in the Hub. (The one hidden under your username.)
Single-logout has been solved with SAML authentication. But how do you catch this when using a custom authentication module (using the ticket API)?
Technically, this is a security problem. Since the user thinks she is logged out. But She still has a live session with the SingleSignIn module, which will just log you in once more.
Interesting question, I would like to know if there is a way to do it.
You're correct, there is no way to do that out of the box.
The only way I can think of would be to use a reverse proxy and catch when the user uses the logout button with a rewrite rule to redirect to a custom page in the authentication module used to log out from the module.
Ouch. I know what my IdP will say about this. They've already complained about Qlik not clearing the client side cookies when logging out. (Even though the session value is terminated server side.)
Should we log this as a security issue?
Long term solution
It should be hard to fix. One could add a Authentication module logout URI under Ticket method under virtual proxy in QMC.
This is what happens with SAML logins, after all.
Short term solution
In the mean time, I guess having the reverse proxy hijack GET https://<server>/<v.proxy>/qps/logout might do the trick.
Let the authentication module clear the session cookie. (Possibly after first running DELETE https://<server>/<v.proxy>/qps/user, with the user's session cookie, although the browser should have already done this.) And finally let the request return a redirect to a nice landing/login page. (Since the standard Qlik logout page is now hijacked.)
Hi @vegard_bakke ,
If my understanding is correct you have already developed a custom extension to logout the users from the QlikApp. However, you still have the session active.
Can you please help how your Html and JS code look like.
I have been trying to achieve this but, not luck yet. Also, posted my query https://community.qlik.com/t5/Integration-Extension-APIs/Extension-to-logout-a-user-from-Qliksense/m...
Thanks
Sort of. I have developed an extension (i.e. a button) that lets you log in and out in an iframe environment.
But that was done for a client, so the source code is theirs, and not mine to give, sorry.
However, your are on the right track (in your other post). I'll follow you up there. 😊
Vegard