OpenID logout link redirect
l.denardo
I managed starting openID authentication for my app on GAE.
Login works correctly with gmail accounts if _ah/login_required is not
under a security constraint in web.xml.
Then, I show the user a JSP page, Header.jsp listing user's email and
a logout link.
Generating logout link with
String logoutURL =
authenticator.createLogoutURL(request.getRequestURI());
I get
http://myapp.appspot.com/_ah/openid_logout?continue=http://myapp.appspot.com/Header.jsp
Which logs out the user correctly.
What is unusual is the fact that I've deployed a servlet to allow user
to log out from google accounts also, mapped to
_ah/openid_logout which should prompt the user with Google accounts
logout link, so they can log out from Google.
This servlet seems to be completely bypassed using logout link: no
requests to openid_logout show in application logs, nothing is shown
from servlet, user gets immediate redirect to the app (and is prompted
to authorize the app again if authorization was not saved).
Firebug shows correct GET to logout url anyway...
If you manually change the value of "continue" parameter, say to
http://www.google.com, my logout servlet works perfectly, showing
Google's logout link, and request shows in log.
Any advice about this behavior in redirection? this does not seem to
be covered in http://code.google.com/appengine/docs/java/users/overview.html
Thanks a lot
Lorenzo
l.denardo
logged out gets redirected immediately to the app page, and being
still logged in to Google gets to the page again, making the logout
link seem just broken, when in fact user is logged out and then logged
in again authomatically.
Is there any workaround for this?
Thank you
Lorenzo
On May 27, 5:49 pm, "l.denardo" <lorenzo.dena...@gmail.com> wrote:
> Hello,
> I managed starting openID authentication for my app on GAE.
>
> Login works correctly with gmail accounts if _ah/login_required is not
> under a security constraint in web.xml.
> Then, I show the user a JSP page, Header.jsp listing user's email and
> a logout link.
>
> Generating logout link with
> String logoutURL =
> authenticator.createLogoutURL(request.getRequestURI());
> Which logs out the user correctly.
>
> What is unusual is the fact that I've deployed a servlet to allow user
> to log out from google accounts also, mapped to
> _ah/openid_logout which should prompt the user with Google accounts
> logout link, so they can log out from Google.
>
> This servlet seems to be completely bypassed using logout link: no
> requests to openid_logout show in application logs, nothing is shown
> from servlet, user gets immediate redirect to the app (and is prompted
> to authorize the app again if authorization was not saved).
> Firebug shows correct GET to logout url anyway...
>
>
> Any advice about this behavior in redirection? this does not seem to
>
> Thanks a lot
> Lorenzo
l.denardo
redirection would be better) but works.
Simply construct the logout link to redirect to _ah/openid_logout
again (I think this should work also redirecting to a custom URL
hosting the logout page).
String requestBase = <url of the app>
String logoutURL =
UserServiceFactory.getUserService().createLogoutURL(requestBase + "/
_ah/openid_logout?continue="+request.getRequestURI());
This handles automatic redirect correctly.