log out user vipps (oauth2 ?)

[rkg]

I'm new at doing webpages with PHP. I have problem with logging out from my "vipps" login, it's similar to oauth2 I have read.. I have searched the web and tried many different solution, but the only way I make it work is when I go into the "vipps" app and remove my browser from "browser that remember you.

At this site I read that I only can log out with disabling session.
github vipps

Vipps Login does not support merchant initiated logout in the browser as this would effectively log the user out of Vipps Login (meaning that the user will no longer be remembered in the browser across sites that use Vipps Login). You are of course free to log the user out of your service (by disabling your own session).

If a user wants to log out of a specific browser remembered in Vipps Login, they need to do this in the Vipps app by navigating to:
Profile->Personal Information->Browsers that remember you, select a browser and press the logout button.

If I use incognito mode and login, then close my browser and open it again then I have to login. So I guess there should be a solution for my problem.

I have current code in a users.php file:
public function logout(){
$this->user = null;
$_SESSION['vipsUserInfo'] = null;
$hostname = $_SERVER['HTTP_HOST'];
header("Location: https://".$hostname);
session_destroy();
exit;
}

and this in a logout.php
require_once __DIR__ . '/TSS/vips/src/auth/Users.php';
$vipsAuth = new VipsUsers();
$vipsAuth->logout();
$hostname = $_SERVER['HTTP_HOST'];
header("Location: https://".$hostname);
die;

Does anyone have some good solutions for me?

Thanks in advanced, I'm very newbish so I need all the tips I could get.

Top

[requinix]

The nature of OAuth is that you do not control the user's session with the remote site. You can't log the user out like you want to do, and arguably you should not either: it's not your concern.

Why do you think you need to be able to log the user out of that other site?

[rkg]

I’m thinking about a public computer where I have logged in with Vipps. Then I can’t log in with another user unless the person had logged in first is  pushing forget browser in their Vipps app? Vipps is a little different from auth I guess  because I need to use my phone to login.  

[requinix]

Unless they provide a way to revoke an access token, the only thing you can do is make sure the user is logged out of your system - you simply can't log someone out of some other website (not unless you can find an security weakness in their site to do so). But a secure OAuth login prompt should not have the side effect of signing the user into that site in the first place...

This isn't just an issue for your two sites: anyone on a shared computer needs to know that if they log into anything, be that Google or Facebook or Amazon, then they have to log out again before they leave.

I don't know all the details of what's going on but it doesn't sound like there's anything you can do.

[rkg]

Thanks for the replies, but I don't think I explained it good enough. On my index.php page, I have a log in button, not any forms where I can put my username or password, if I'm not logged in, then the button is redirecting me to a vipps API where they ask me to type my phone number. Then it opens a program (Vipps) on my phone and asks for permission to login to my account site, this works well. But when I try my logout function on my site it sends me to my index.php file and it looks like I'm logged out, but if I then push my log in button on my site it just sends me to my account without asking for permission. I have found 2 ways to log out so I can log in with a new user, and one is delete allowed browser in my Vipps app on my phone. Or using incognito mode in chrome, login and logout, close browser and try again, then I have to the process with allowing browser with my Vipps app all over. 

[requinix]

And what I'm saying is, since your website cannot control the user's phone or the information the Vipps site stored in their browser, you can't log the user out.

You being able to log out of Vipps does not mean that your site can make it happen for you.

[rkg]

Ok, I think I understand a little more. But I still think they should add merchant initiated logout, But I guess I have to use another login system then. Thanks for explaining it to me.

[requinix]

If their system (1) logs the user into their site during the OAuth process, assuming the user is not already logged in, and (2) do not provide a way for you to end that session, then that's a security risk and it has to be mitigated by the other site. They could do so by not logging the user in during the process (only validating the credentials) and/or by giving the user the standard "Remember me; not recommended for shared computers" checkbox (which creates a short-lived session that expires when the browser is closed).

Providing a method to sign someone out given credentials is actually rather uncommon. It's giving a remote site control over something that they don't need control, considering that there are alternatives.