Logout system url ?

[arminvburren]

Hello,
I'm trying to create a logout url:

@app.get("/logout", name="logout")
async def logout(request: Request):
    logout_url = fief.logout_url("http://localhost:8000")
    print(logout_url)
    response = RedirectResponse(logout_url)
    return response

So first I have to put await apparently logout_url = await fief.logout_url("http://localhost:8000") otherwise it says 'FiefAsync.logout_url' was never awaited.

Secondly the redirection works well but ... I am still connected.. meaning if I go on /protected which has for code:

@app.get("/protected", name="protected")
async def protected(
    access_token_info: FiefAccessTokenInfo = Depends(auth.current_user()),  # !
    ):
    userinfo = await fief.userinfo(access_token_info["access_token"])
    return HTMLResponse(
        f"<h1>You are authenticated. Your user ID is {access_token_info['id']}</h1><br>{access_token_info}<br>{userinfo}"
    )

I still have my user / email etc...

What am i doing wrong ? Maybe a cookie to erase in addition of the page ?

[arminvburren]

Mm apparently it works with deleting the cookie. Suprising thing though is that I thought the logout page would make the original cookie / token used for login expired on fief server side ?

What do I not understand ?

[frankie567]

Hi @arminvburren!

The key thing to understand with Fief is that there is actually two kinds of user sessions:

• Your app session: it's the one you are maintaining on your side after a successful callback. In the web application example, it happens when we call .set_cookie.
• The Fief session: it's a session handled on Fief side so the user won't have to login again if your app session is expired. In this case, it'll still go through the redirection-callback process, but we won't show them the login page.

That's why when implementing logout you have to take care of two things:

1. Remove your app session. In your case, as you guessed, you just have to call .delete_cookie. Fief doesn't have any control on this session, so it's up to you to manage it.
2. Remove the Fief session: this is what the redirection to the Fief logout URL is doing. On next login, Fief will ask the user to authenticate again.

I hope it clarifies things 😄 That said, it's definitely something that should appear clearly in the documentation!

[arminvburren]

Mm that's how I assumed it is, but then I'm suprised because it seemed to have the opposite effect: if I go on the fief logout URL but not remove the cookie, then the "protected" page stills shows the infos that come from the fief userinfo function (tho i assumed it should not since fief was supposed to have cleaned its had to go through its session which it was supposed to have cleaned in the logout page).

[frankie567]

Yes, that's expected: the access token is a JWT. It's a cryptographically-signed JSON object containing the User ID and a list of allowed scopes. It has a short lifetime (one hour) but it can't be invalidated server-side. So unless we "forget" it, it'll be valid until expiration.

The benefit of this design is that we don't have to make a roundtrip to Fief to check if the token is valid or not; which would be slow. We just need to validate the cryptographic signature: that's what auth.current_user is doing under the hood.

Admittedly, Fief could maintain a list of "revoked" JWT so that the call to userinfo would fail, but I'm not really sure it's necessary.