Force logUserOut does not sign user out(?)

213 views
Skip to first unread message

Greg Newton

unread,
Apr 3, 2019, 12:20:01 AM4/3/19
to ORCID API Users
I have a simple use-case. Sign in to my app using ORCID (based on https://members.orcid.org/api/integrate/orcid-sign-in).

I want to provide an easy way of making certain that users have terminated their ORCID session, so I use the javascript fetch method to hit https://sandbox.orcid.org/userStatus.json?logUserOut=true
The response payload is { loggedIn: false }, however, when I immediately go to https://sandbox.orcid.org/userStatus.json I see loggedIntrue }.

So, the question is, why do I get loggedIn: false from fetch, but I haven't actually been logged out?
Thanks

Wilmers, Catalina

unread,
Apr 4, 2019, 5:18:10 PM4/4/19
to Greg Newton, ORCID API Users
Hi Greg,

Our team has taken a look at this and can't recreate the issue. Is your app up where we can take a look at it directly, or can you share the code for it? If we can see exactly how the call is being made we may be able to spot what the issue is.

Best,
-Catalina
ORCID Tech Team

--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.

Greg Newton

unread,
Apr 5, 2019, 2:09:52 PM4/5/19
to ORCID API Users
After further thought I realized that this is exclusively associated with the ORCID code behind userStatus.json, so I put together a public test here <https://hcmc.uvic.ca/people/greg/fetch-force-logout.html>. It's a procedural test with explanatory notes.
To be complete, I have another version that runs the same test using the ajax code found in the GitHub repo. You can find that version here <https://hcmc.uvic.ca/people/greg/ajax-force-logout.html>
The pages are self-contained and no server-side code is running in the background.

Montenegro, Angel

unread,
Apr 5, 2019, 4:37:16 PM4/5/19
to Greg Newton, ORCID API Users
Hi Greg,

Since your request comes from another server, you will need to do a JsonP or CORS request in order to make the logout functionality to work properly, however, the fetch api you are using in your example doesn't support any of those.

If you look at the source of our jsonp sample: http://orcid.github.io/test/log-user-out-jsonp.html we are using an $.ajax request with a jsonp dataType, thats why it works properly.

So, given that you need to bypass the cross domain restrictions, I think you have two possible solutions: 

1) (The easiest one) Instead of using fetch api, change it so it uses the Ajax libraries and specify the JSONP datatype in your request, as we did in our jsonp example. 
2) You will need to install a package that allows you to do jsonp calls: https://www.npmjs.com/package/fetch-jsonp 

Hope this helps, please let me know if this help you out.

Thanks


--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.


--
Ángel Montenegro
Software architect
We need your feedback! Please take 10 minutes to tell us about your understanding and use of ORCID in our community survey

Greg Newton

unread,
Apr 5, 2019, 5:52:19 PM4/5/19
to ORCID API Users
Thanks for the reply Ángel.
I'm afraid the ajax example you point to doesn't work for me either.

Can you try this?
Log in to sandbox.
Go back to sandbox.
You're still logged in. At least, I am.

Cheers,
Greg

Liz Krznarich

unread,
Apr 5, 2019, 7:01:25 PM4/5/19
to Greg Newton, ORCID API Users
Hi Greg,

I took a look at this as well and spotted an issue on our side. There was a change made to the baseUrl var used in the login check back in Feb that’s resulted in the site no longer redirecting to /signin when userStatus.json returns {"loggedIn":false} . 

Thanks so much for raising this issue - we’ll get it fixed in the next release, which will likely be sometime next week. I’ll post an update here when it’s fixed. In the meantime, you can follow the progress of this ticket on Trello: https://trello.com/c/Hd1L6Jy3/5859-login-check-no-longer-redirects-to-siginin-when-loggedin-false . 

Cheers,
Liz
---
Liz Krznarich 
Tech Lead, ORCID
e.krz...@orcid.org
skype: lizkrznarich
http://orcid.org/0000-0001-6622-4910




Greg Newton

unread,
Apr 8, 2019, 12:39:53 PM4/8/19
to ORCID API Users
Thanks Liz. I'll keep tabs on that ticket.

I *think* I have a cross-browser, plain JS implementation that works now.
That said, Chrome produces the CORB error, and Firefox tells me 'SyntaxError: "JSON.parse: unexpected end of data at line 1 column 1 of the JSON data"' which I assume is a manifestation of the same thing.
Still, the code works.

My fetch code is as follows:
fetch('https://sandbox.orcid.org/userStatus.json?logUserOut=true',{
    mode
: 'no-cors',
    headers
: {Accept: 'application/json'},
    credentials
: 'include'})
.then(function (response) {
   
return response.json();
})
.then(function (data) {
   
if (data.loggedIn === false) {
        console
.log('You have been signed out of ORCID');
   
}
})
.catch(function (err) {
    console
.log(err);
});

Given my current state of things I think we can close this ticket.
Thanks for the help!

Wilmers, Catalina

unread,
Apr 18, 2019, 5:38:29 PM4/18/19
to Greg Newton, ORCID API Users
Hi Greg,

Sorry for the delay on this, our release took longer than expected to get out. I wanted to follow up to let you know that we have fixed the bug Liz described. If you encounter any further issues with this please let us know.

Best,
-Catalina

--

Faisal Rahman

unread,
Sep 30, 2020, 2:21:56 PM9/30/20
to ORCID API Users
Hi,
I'm facing the exact same issue described above but in a very specific environment: Chrome Incognito mode (Windows10).

To be certain, I used the "Ajax jsonp" testcase above (http://orcid.github.io/test/log-user-out-jsonp.html)  and although it returns {"loggedIn":false}, It doesn't log me out of ORCID sandbox.

Chrome build used for testing:  Version 85.0.4183.121 (Official Build) (64-bit)  

Note that everything works fine in the same browser if not in Chrome Incognito mode. Looking forward to a solution to this.

Kind regards,
Faisal

Liz Krznarich

unread,
Oct 5, 2020, 2:50:34 PM10/5/20
to ORCID API Users
Hi Faisal,

I've been testing force logout using Chrome 85.0.4183.121 Incognito mode, but I have not been able to reproduce this issue. One point to note is that it can can take up to 30 seconds for the user to be redirected, as logged is status is checked from the UI every 30 sec per https://github.com/ORCID/ORCID-Source/blob/master/orcid-web/src/main/webapp/static/javascript/script.js#L433

For example, in the attached screenshots,  I hit https://sandbox.orcid.org/userStatus.json?logUserOut=true at 18:39:58 and the next check to see whether the user was logged in happened at 18:40:06 (but again, per the code, the next check could be up to 30 sec from any given time). 

Can you please confirm that the logged-in user is not redirected after waiting up to 30 seconds? And, if not, can you provide screenshots of your Developer Tools Console and Network tabs (with "Preserve log" enabled).

Cheers,
Liz
---
Liz Krznarich 
Tech Lead, New Projects, ORCID
https://orcid.org/0000-0001-6622-4910
log-user-out-request.png
user-status-check.png

Faisal Rahman

unread,
Oct 5, 2020, 8:33:47 PM10/5/20
to ORCID API Users
Hi Liz,
I'd like to quickly mention that hitting https://sandbox.orcid.org/userStatus.json?logUserOut=true from the browser works perfectly fine for me as well and the UI does get redirected to the sign-in page in 30s.

However, none of that happens if the https://sandbox.orcid.org/userStatus.json?logUserOut=true URL is hit with an AJAX-JSONP request. If I'm not wrong something like this test-case (http://orcid.github.io/test/log-user-out-jsonp.html) should also log the user out in a similar fashion, right?

Please run the ajax-jsonp test-case instead of directly hitting the URL from browser and let me know if you still have trouble reproducing the issue. 

Kind regards,
Faisal

Liz Krznarich

unread,
Oct 6, 2020, 8:58:30 AM10/6/20
to ORCID API Users
Hi Faisal,

That makes more sense. In that case, the problem is related to 3rd party cookies, which are blocked by default in incognito mode. That means the app is unable to access and remove the session cookie when the log out request is made from a different domain (http://orcid.github.io). You can get around this by enabling third party cookies in incognito mode using the toggle on the incognito home screen (see attached screenshot) or in chrome://settings/cookies

Cheers,
Liz
incognito-cookie-toggle.png

Faisal Rahman

unread,
Oct 6, 2020, 10:22:53 AM10/6/20
to ORCID API Users

Hi Liz,
That explains everything. Thank you very much for your support.

Kind regards,
Faisal Rahman

Faisal Rahman

unread,
Oct 6, 2020, 10:55:05 AM10/6/20
to ORCID API Users
Hi Liz,
One last thing. As a work around, we're considering using the "callback" param along with "logUserOut" to achieve a redirection as described here https://members.orcid.org/api/resources/customize

But we keep getting this error when we hit (directly from browser) https://sandbox.orcid.org/userStatus.json?logUserOut=true&callback=http://www.google.com   :
<html><head><title>Oops an error happened!</title></head> <body>400 Bad Request: Callback url param is not valid</body> </html> 

Could you please help out with some context on how to achieve redirection from   https://sandbox.orcid.org/userStatus.json  ?

Kind regards,
Faisal Rahman 

Liz Krznarich

unread,
Oct 6, 2020, 11:29:51 AM10/6/20
to ORCID API Users
Hi Faisal,

The value of the callback param should be the name of a function in your app that will be called after a response to the JSONP request is received (see Callback Function in https://www.w3schools.com/js/js_json_jsonp.asp). 

For security reasons, we don't allow URLs or code in the callback param. Instead, any redirection or other actions that need to happen based on the JSONP response should take place inside that callback function you define in your app.

Cheers,
Liz
Reply all
Reply to author
Forward
0 new messages