"User Log out API" return success in response but user session still alive

I’m using SSO settings and calling User Log out API (https://discourse.example.com/admin/users/{id}/log_out) from my application. Now API returns Success in response but user session still alive in browser. what should be the cause?

-Another issue is that Group is not getting set to User while passing from returnPayload.

Before calling the API did you logged-out the user in your application? Also try verbose_sso_logging to debug.


Yes, I’m calling “log out API” after user logout from our application. I observed logs on (xxxxx.trydiscourse.com/logs) but seeing only warning there and no Errors/Fatal.

Note: I’m using discourse trial instance for now and user Group passing(in return payload) functionality is also not working.

Can you paste the code you are using to call the API and SSO? Then you may get more support from other community members too.

==============API call==============    
    public void LogoutDiscourse()
            string apiKey = ConfigurationManager.AppSettings["discourse_api_key"];
            string apiUsername = ConfigurationManager.AppSettings["discourse_api_username"];
            string url = "https://xxxxxxx.trydiscourse.com/admin/users/" + userId + "/log_out?api_key=" + apiKey + "&api_username=" + apiUsername;
            string response = CalloutDiscourseApi(url);


        public string CalloutDiscourseApi(string apiUrl)
            //HttpWebResponse response = null;
            StreamReader respStream = null;

            // Create a request object using the url passed in 
            var request = (HttpWebRequest)WebRequest.Create(apiUrl);
            request.Method = "POST";
            request.Timeout = 10000;

            //Set the content type of the data being posted.
            request.ContentType = "multipart/form-data";

            using (var response = (HttpWebResponse)request.GetResponse())
                // Create a streamreader object from the response 
                respStream = new StreamReader(response.GetResponseStream(), Encoding.UTF8);

                // Get the contents of the page as a string and return it 
                return respStream.ReadToEnd();


===========SSO - Group passing==========

////Skipping few initial line of code here

 string userGroups = "CustomGroup";

            var result = userRegistration.GetUserSpecificDetails(actualCriteria);
            objUserProfileDetails = (List<UserProfileEditModel>)(serialization.DeSerializeBinary(Convert.ToString(result)));
            var UserProfileDetails = objUserProfileDetails.FirstOrDefault();
            string returnPayload = "nonce=" + Server.UrlEncode(nonce) +
                                     "&email=" + Server.UrlEncode(UserProfileDetails.Email) +
                                     "&external_id=" + Server.UrlEncode(UserProfileDetails.ID.ToString()) +
                                     "&username=" + Server.UrlEncode(UserProfileDetails.Email) +
                                     "&name=" + Server.UrlEncode(UserProfileDetails.Name) +
                                     "&add_groups=" + Server.UrlEncode(userGroups);

            string encodedPayload = Convert.ToBase64String(Encoding.UTF8.GetBytes(returnPayload));
            string returnSig = getHash(encodedPayload, ssoSecret);

            string redirectUrl = ConfigurationManager.AppSettings["DiscourseUrl"] + "/session/sso_login?sso=" + encodedPayload + "&sig=" + returnSig;

            return Redirect(redirectUrl);

Any updates/help on above queries please

Hi @vinothkannans ,
Does API’s and add_groups works on trial instance?

Yes. It should work. Did you enable the site setting sso_overrides_groups in admin side?

Yes. PFA

I don’t see any error handling anywhere in there – are you sure the calls are succeeding?

A non-200 response still has a body to read.

Yes @riking, It has centralised error handling code. I have debugged this code and got Response - {“success”:“OK”}. Also hit this API from postman and got the same response - {“success”:“OK”}