How should we deal with logout if we login via sso?

Help
,
1

Hi, first of all, great product. Very much enjoying it :sweat_smile:

This question could be a duplication of this. Tried, looked and still doesn’t work so here I leave my own question again.

The question is simple. Why am I keep getting 400 whilst I could do all other API calls?

For example, I am currently using link for authentication with callback, just as below.

https://directus.domain.com/auth/login/google?redirect=https://site.domain.com/api/users/sync

By doing so, I was able to get a cookie to be used on both sites, using Directus as a single source of truth.

And, the deployment has following configuration.


AUTH_PROVIDER: "google"
AUTH_DISABLE_DEFAULT: true
AUTH_GOOGLE_MODE: "session"
AUTH_GOOGLE_DRIVER: "openid"

...

SESSION_COOKIE_NAME: "__Secure-my-session"
SESSION_COOKIE_DOMAIN: "domain.com"
SESSION_COOKIE_SECURE: true
SESSION_COOKIE_SAME_SITE: "lax" # but also works with None atm.

Everything works just fine, until, realizing that the logout requires me to have a refresh token.

So, basically I can control how to login, but I cannot control how to logout other than deleting the cookie on the logged-in session.

One thing really confuses me is that all other APIs do work just fine with this session cookie. I can get, put, patch. It’s just that I believe no refresh, no logout that is ever working.

Is there something I have missed? or.. should I run my own authentication layer and connect with the Directus instance?

2

Hello @state303

You are using the session method in that scenario, you do not need any token; this should work

import { createDirectus, authentication, rest, logout } from '@directus/sdk';

const client = createDirectus('directus_project_url').with(authentication()).with(rest());

const result = await client.logout();

I am sharing an example of a docker compose

version: "3"
services:
  database:
    image: postgis/postgis:13-master
    # Required when running on platform other than amd64, like Apple M1/M2:
    # platform: linux/amd64
    volumes:
      - ./data/database:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: "directus"
      POSTGRES_PASSWORD: "directus"
      POSTGRES_DB: "directus"
    healthcheck:
      test: ["CMD", "pg_isready", "--host=localhost", "--username=directus"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_interval: 5s
      start_period: 30s

  cache:
    image: redis:6
    healthcheck:
      test: ["CMD-SHELL", "[ $$(redis-cli ping) = 'PONG' ]"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_interval: 5s
      start_period: 30s

  directus:
    image: directus/directus:11.5.1
    ports:
      - 8055:8055
    volumes:
      - ./uploads:/directus/uploads
      - ./extensions:/directus/extensions
    depends_on:
      database:
        condition: service_healthy
      cache:
        condition: service_healthy
    environment:
      SECRET: "replace-with-secure-random-value"

      DB_CLIENT: "pg"
      DB_HOST: "database"
      DB_PORT: "5432"
      DB_DATABASE: "directus"
      DB_USER: "directus"
      DB_PASSWORD: "directus"

      CACHE_ENABLED: "true"
      CACHE_AUTO_PURGE: "true"
      CACHE_STORE: "redis"
      REDIS: "redis://cache:6379"

      ADMIN_EMAIL: "admin@example.com"
      ADMIN_PASSWORD: "d1r3ctu5"

      AUTH_PROVIDERS: "google"
      AUTH_GOOGLE_DRIVER: "openid"
      AUTH_GOOGLE_CLIENT_ID: "1234567890-abcde12345fghijklmnopqr.apps.googleusercontent.com"
      AUTH_GOOGLE_CLIENT_SECRET: "XyZ123abcDEF456ghiJKL"
      AUTH_GOOGLE_ISSUER_URL: "https://accounts.google.com"
      AUTH_GOOGLE_IDENTIFIER_KEY: "email"
      AUTH_GOOGLE_ICON: "google"
      AUTH_GOOGLE_LABEL: "Google"
      AUTH_GOOGLE_ALLOW_PUBLIC_REGISTRATION: "true" # This allows users to be automatically created on logins. Use "false" if you want to create users manually
      AUTH_GOOGLE_DEFAULT_ROLE_ID: "b3d8da3d-1277-4402-9d78-6e17b0fca492"
      AUTH_GOOGLE_REDIRECT_ALLOW_LIST: "https://frontend.xyz.com/login" # frontend login page url

      AUTH_GOOGLE_MODE: "session"
      SESSION_COOKIE_DOMAIN: "directus.xyz.com" # The domain of your Directus instance. For example "directus.xyz.com"
      SESSION_COOKIE_SECURE: "true"
      SESSION_COOKIE_SAME_SITE: "None"

      CORS_ENABLED: true
      CORS_ORIGIN: "https://frontend.xyz.com"
      CORS_CREDENTIALS: true

      PUBLIC_URL: "https://directus.xyz.com" #Public url must be provided for the sso to work

    env_file:
      - .env
3

I was struggling this as well today and I found the fix, here’s the link for your reference.
I suppose you can access everything except logout, since logout somehow requires below POST request body

{"mode": "session"}