"User Log out API" return success in response but user session still alive

(Kalpantkrishna Patil) #1

I’m using SSO settings and calling User Log out API (https://discourse.example.com/admin/users/{id}/log_out) from my application. Now API returns Success in response but user session still alive in browser. what should be the cause?

-Another issue is that Group is not getting set to User while passing from returnPayload.

(Vinoth Kannan) #2

Before calling the API did you logged-out the user in your application? Also try verbose_sso_logging to debug.

(Kalpantkrishna Patil) #3

Yes, I’m calling “log out API” after user logout from our application. I observed logs on (xxxxx.trydiscourse.com/logs) but seeing only warning there and no Errors/Fatal.

Note: I’m using discourse trial instance for now and user Group passing(in return payload) functionality is also not working.

(Vinoth Kannan) #4

Can you paste the code you are using to call the API and SSO? Then you may get more support from other community members too.

(Kalpantkrishna Patil) #5
==============API call==============    
    public void LogoutDiscourse()
            string apiKey = ConfigurationManager.AppSettings["discourse_api_key"];
            string apiUsername = ConfigurationManager.AppSettings["discourse_api_username"];
            string url = "https://xxxxxxx.trydiscourse.com/admin/users/" + userId + "/log_out?api_key=" + apiKey + "&api_username=" + apiUsername;
            string response = CalloutDiscourseApi(url);


        public string CalloutDiscourseApi(string apiUrl)
            //HttpWebResponse response = null;
            StreamReader respStream = null;

            // Create a request object using the url passed in 
            var request = (HttpWebRequest)WebRequest.Create(apiUrl);
            request.Method = "POST";
            request.Timeout = 10000;

            //Set the content type of the data being posted.
            request.ContentType = "multipart/form-data";

            using (var response = (HttpWebResponse)request.GetResponse())
                // Create a streamreader object from the response 
                respStream = new StreamReader(response.GetResponseStream(), Encoding.UTF8);

                // Get the contents of the page as a string and return it 
                return respStream.ReadToEnd();


===========SSO - Group passing==========

////Skipping few initial line of code here

 string userGroups = "CustomGroup";

            var result = userRegistration.GetUserSpecificDetails(actualCriteria);
            objUserProfileDetails = (List<UserProfileEditModel>)(serialization.DeSerializeBinary(Convert.ToString(result)));
            var UserProfileDetails = objUserProfileDetails.FirstOrDefault();
            string returnPayload = "nonce=" + Server.UrlEncode(nonce) +
                                     "&email=" + Server.UrlEncode(UserProfileDetails.Email) +
                                     "&external_id=" + Server.UrlEncode(UserProfileDetails.ID.ToString()) +
                                     "&username=" + Server.UrlEncode(UserProfileDetails.Email) +
                                     "&name=" + Server.UrlEncode(UserProfileDetails.Name) +
                                     "&add_groups=" + Server.UrlEncode(userGroups);

            string encodedPayload = Convert.ToBase64String(Encoding.UTF8.GetBytes(returnPayload));
            string returnSig = getHash(encodedPayload, ssoSecret);

            string redirectUrl = ConfigurationManager.AppSettings["DiscourseUrl"] + "/session/sso_login?sso=" + encodedPayload + "&sig=" + returnSig;

            return Redirect(redirectUrl);

(Kalpantkrishna Patil) #6

Any updates/help on above queries please

(Kalpantkrishna Patil) #7

Hi @vinothkannans ,
Does API’s and add_groups works on trial instance?

(Vinoth Kannan) #8

Yes. It should work. Did you enable the site setting sso_overrides_groups in admin side?

(Kalpantkrishna Patil) #9

Yes. PFA

(Kane York) #10

I don’t see any error handling anywhere in there – are you sure the calls are succeeding?

A non-200 response still has a body to read.

(Kalpantkrishna Patil) #11

Yes @riking, It has centralised error handling code. I have debugged this code and got Response - {“success”:“OK”}. Also hit this API from postman and got the same response - {“success”:“OK”}