Oauth Login

Hi, I have my application configured to use Okta Oauth. (Previously I had it working with google aswell). The log in system is working as expected. However I am struggling to get the logout side working. Example of what I am currently running

python3 -m panel serve app2.py --unused-session-lifetime 5000 \
--check-unused-sessions 5000 --oauth-provider=okta \
--oauth-key="{oath_key}" \
--oauth-secret="{oauth_secret}" \
--cookie-secret="{cookie_secret}" \
--oauth-extra-params="{'server': 'default', 'url': '{okta_url}" \
--oauth-encryption-key="oauth_encryption_key" \
--log-level='trace'

As a minimal app I created the following:

import panel as pn

logout = pn.widgets.Button(name="Logout", button_type="default").servable()

def logout_route(event):

    pn.state.location.pathname = pn.state.location.pathname.split("/")[0] + "/logout"

    pn.state.location.reload = True

logout.on_click(logout_route)

Upon clicking this button to hit the /logout url, it reloads the page and the user is still logged in. No real evidence in the logs about how the cookies are dealt with or anything related.

Is it possible to log out the user from the Oauth provider. As a side note. This above is running on my localhost. I have my program running in production on Azure with the Okta Oauth working. But haven’t managed to get the logout working there either. Tried both /logout and /.auth/logout as urls but they don’t actually log out of Okta.

Would i be correct in saying that I need to actually hit the Okta logout endpoint myself? Or can it be done through panel?

Thanks

Suffering from the same problem here. Would appreciate your help.

@philippjfr . Do you know the answer to this one?

Thank you for the referral but to be exact I am using a Generic Auth provider. I just need to know how to build a logout button for that. Thought it would be easier if I narrow down my question. Thanks @Marc

1 Like

The /logout handler should definitely clear all cookies. Existing sessions will persist though, so I’d be very open to a feature request and/or PR to automatically kill sessions associated with a logged out user. Is that what you’re observing or are you actually observing that the user can still access the apps even after logging out?

I’m looking for a straightforward button widget that would allow me with a method request logging out from the generic auth provider. That being said, the page should lose the dashboard and confirm for the user that it signed out from the website.

To be exact I can’t seem to know how to use the logout handler found in the BasicProvider for it to sign out the user from the dashboard page.