0

I am overriding the social user in social core but how can I log out the current user? If I log out the request linked with the social auth, I am getting an error saying that 'AnonymousUser' object has no attribute 'social_auth'. 

def social_user(backend, uid, user=None, *args, **kwargs):
    provider = backend.name
    social = backend.strategy.storage.user.get_social_auth(provider, uid)
    if social:
        if user and social.user != user:
            logout(backend.strategy.request)

Any ideas?

a2a
  • 13
  • 4

2 Answers2

0

The biggest question here is what you want logout to mean. If a user is logged into your application via their Google Account, they probably don't want want to logout from Google if they are using their own laptop, tablet, or desktop.

For this reason, python-social-auth does not include logout logic, and neither does OAuth2, really, but both Django and Flask include a logout mechanism which you can use to logout from only your web application.

You've tagged django, so you could include django.contrib.auth.views.LogoutView as one of your URLs, and link your "Sign-out" function to that URL, or you could write your own URL, and somewhere within call django.contrib.auth.logout. It is generally friendly to confirm to the user that they are logged out, and provide some sort of simple template page that confirms they're logout; this is the function of that view django.contrib.auth.views.LogoutView that I referenced above.

If you want to go farther, the URL to use for each backend could be quite difficult if you are supporting several such backends. See Logout link with return URL (OAuth) for more information on this.

You also should do something to figure out whether the user wants to logout completely; as this is not typical with OAuth2. Your solution will require some sort of user interface element. Here are some possibilities:

  • You could ask them via a form before they logout - "[ ] Do you want to logout completely from Google?". When the form is posted back, you decide whether to redirect to a logout URL for Google. This is a bit of a security risk, because they may click Sign-out and then go to lunch.
  • You could simply let them know know afterwards that they've been logged out of your application, but not out of google. Again, this can be a security risk.
  • You could ask when they login what they want to do, indirectly. Maybe you present a login interface that includes a checkbox like "[ ] This is a computer that I trust" before the list of social backend buttons, and save that button check in the session. Then, when they sign-out, you can keep the "contract with the user" by simply doing it.

Because python-social-auth has such an excellent settings mechanism, you can store a backend specific LOGOUT_URL in the settings, for instance:

SOCIAL_AUTH_GOOGLE_OAUTH2_LOGOUT_URL='https://www.google.com/accounts/Logout'

Again for how to continue back to a confirmation URL, see Logout link with return URL (OAuth).

danizen
  • 431
  • 5
  • 4
0

My answer below is long, and complete. The simplest answer is that python-social-auth doesn't handle logout, because OAuth2 doesn't handle logout. To logout of your own app, simply write your own view based on django.contrib.auth.views.LogoutView so that you can override the template cleanly:

from django.contrib.auth.views import LogoutView

# ...

class MyLogoutView(LogoutView):
    template_name = 'myapp/logout.html'

mylogout_view = MyLogoutView.as_view()
danizen
  • 431
  • 5
  • 4