Unable to logout when oauth is enabled #1207
Comments
|
I'm also having the same problem. I'm using Azure AD and when I sign out, user automatically logs in. I believe there should be a cookie deletion or sth like that but I couldn't find a good resource about this. I would appreciate any kind of information about this. |
|
Effectively, it seems that logout is not implemented for oauth. Not sure whether this is a bug or a feature, but I can definitely validate this. |
dokterbob
added
enhancement
|
+1 - any update on a fix? I have auth0 / google setup and clicking 'logout' in the user menu redirects the user back to the "sign in with auth0" page which automatically redirects back to a logged in session i tried the following but it didn't log the user out |
|
Chainlit never logs out for any auth approach because it stores the auth token in localStorage and never deletes it. I have worked around this by deleting the token from localStorage explicitly from my own JS code. My personal recommendation is not to rely on any of the auth features of Chainlit because storing auth tokens in localStorage doesn't suggest that security is a high priority for the project (so there may be other not-so-obvious risks) and auth is probably going to get removed see #1265. |
|
Hello @stephenrs, I am actually facing the same problem where the token is saved, and user is directly re-directed to the app without entering his credentials again when logging out. Can you please show me how you did it with javascript? i tried but didnt work as i dont know coding js very well . |
|
@yumi-bk20 You can remove the token with just one line of code using the builtin localStorage object:
|
|
@yumi-bk20 Could you please share how you are doing it in JavaScript. Like how you Listen for a logout event or trigger, Remove the token from localStorage and Call the Chainlit logout endpoint . |
|
We're using the chainlit python lib to generate the frontend so we can't natively access javascript (and localStorage) without adding a custom script to get|remove the token. This is a little hacky Ideally the on_logout lifecycle would give us access to cl.user_session so we can access the token and send logout requests to our API using it. Ideally, on_logout would also do localStorage.remove(token) on its own |
|
@julesterrien You're right, it's definitely a hack, and you're right that chainlit should remove the token automatically. However, I don't think any fixes or features will be added to the auth system in the short term, and it will probably eventually be removed. So I personally don't recommend using it or relying on it in your projects. Please see #1265 |
|
@stephenrs Than how to use Microsoft Entra with Chainlit. Have you implemented any auth for your project?? |
|
@vivekjainmaiet I'm not familiar with Microsoft Entra, but in my case, I'm integrating chainlit into an existing Flask-based (python) app that already handles authentication (using Auth0). As far as I'm aware, most/all authentication providers make it fairly easy to secure apps, so I would tend to expect that MS Entra is no different. So even if you don't have an existing app, it should be reasonably straightforward to set one up (using Flask or FastAPI, for example) as a type of wrapper around chainlit. Then, you will have full control of the security of your project, access to the wealth of flexibility and support that auth/identity services provide, and you won't have to be concerned about the additional complexity or potential for security gaps in chainlit, or getting stuck with an unsupported configuration if/when they decide to remove auth. Also, the auth system is pretty tightly coupled with the data layer, and the chainlit team appears to also be planning to remove the data layer, which is also discussed on #1265. |
|
@stephenrs but are you like pointing to the Logout button to trigger the action ? or some other function, coz this is how am doing it, and its not working for me: anyone that knows something plz help! |
|
@yumi-bk20 Since I'm not using the chainlit auth features, I'm not relying on any of the logout functionality of chainlit, including the on_logout callback or the logout menu. login/logout takes place at the level of my app and I delete the token from my app's frontend code, and I've removed the logout menu option from the chainlit UI. Have you confirmed that your event listener is getting triggered when you think it is? Also, have you used your browser's dev console to make sure the token is not getting deleted but then re-saved later in your execution flow? For example, I'm not exactly sure when chainlit saves the token to localStorage or if it does it more than once. |
|
Hello, I have made a PR to remove the "autologin" behaviour. |
hello @yumi-bk20 ! I got the same issue... have you found something that works? :) |
|
@julesterrien @stephenrs @yumi-bk20 can you share the custom script snippet to delete the token? I have tried below code and it did not work for me. document.addEventListener('DOMContentLoaded', function() {
function handleLogout() {
console.log('Logging out');
localStorage.removeItem("token");
alert('You have been logged out');
// You might want to redirect the user or update the UI here
}
// For the SVG icon
const logoutIcon = document.querySelector('[data-testid="LogoutIcon"]');
console.log(logoutIcon);
if (logoutIcon) {
logoutIcon.addEventListener("click", handleLogout);
}
// For the text span
const logoutText = document.querySelector('span');
console.log(logoutText);
if (logoutText && logoutText.textContent === 'Logout') {
logoutText.addEventListener("click", handleLogout);
}
}); |
|
Hey everyone, here's a little update on this saga which admittedly, is far from an ideal situation. Let me start by stating clearly that getting all auth stuff out of this library, e.g. not rolling our own, is quite high on our wish list. That having been said, we cannot afford simply break all existing use cases, there needs to be a clear transition path, in addition to a clear destination. Mapping that takes time and attention. Concrete suggestions, including proposals for how to code it as well as other contributions of a positive nature are very welcome. Now, feel free to join me in this rabbit hole, which I opened whilst reviewing #1362 tries to address this issue. This seems to be all components related to logging out. Thus far, I'm still unsure what exactly is going on. Towards a proper solutionWe'd need to add something like Note that, particularly, the UX flow here is non trivial. When clicking 'log out', the last thing a user expects is to be logged out of Google/GH etc. Refs:
Current issues (e.g. unbreaking the UX)The above having been said, simply logging out the user on the client side and prompting the user for login consent as in #1362, should solve the UX. Yet, somehow, it doesn't. It seems there might be a combination of two things going on:
I'd love to hear your thoughts on the above. Explicitly not interested in meta-issues, like your opinion on our level of freely provided community support. Breadcrumbs (research)React libraryIn the React Client library, logout seems to happen here: chainlit/libs/react-client/src/api/index.tsx Line 152 in 1c5098c There's also a logout hook here, with behaviour which seems (roughly) sensible: FrontendThis is where It's instantiated here: And imported from here: BackendMeanwhile, the backend API on chainlit/backend/chainlit/server.py Line 396 in 1c5098c |
|
TLDR; Initial testing with #1362 suggests that:
I'd love to have feedback on (and don't have scope to test) other OAuth providers. In addition, I think we should indeed accelerate decoupling (= getting rid of our own) auth and/or implement |
|
Quick update; we'll do a RC with #1362 on Wednesday, solving the UX part of this issue. |
|
My (perhaps heavy-handed, big hammer) suggestion, as a possible bridge solution is to:
This seems like a lightweight way to drop a major burden from the project quickly and in a controlled way, while not hurting/blocking existing user projects, although I could be missing something. I just don't see any point in investing more time in trying to fix an auth system that shouldn't exist at all, and it's just too easy (and more reliable/flexible/secure) to get auth without CL providing it. NOTE: My understanding is that CL currently doesn't play well with any of the most popular python frameworks, so a prerequisite to this proposed path to auth freedom might be that CL might have to be made to at least work with a parent FastAPI app without breaking routing (which has been documented on a separate issue). It would also be great to see a more comprehensive proposed roadmap included in the announcement about dropping auth. |
Noticed a problem in the latest release with respect to authentication.
I am using OAuth aauthentication using GIT.
If I logout, it again logs me in automatically from the logout page. So i can not log out essentially.
The text was updated successfully, but these errors were encountered: