29 Sep 2017

Log out of Forge

When you have a Forge application which lets the user log in, then the second time the user tries to log in it will not ask for user name or any other credentials but will automatically log in the user. 

The problem comes when you try to log in with another user account. Even if you destroy the server side the session cookies the browser will still not ask for user credentials, but instead, will just automatically log in the previous user again.

One solution is to clear the browser cache - which will also make sure that you do not get logged in automatically to most websites. In Chrome it looks like this:

Clear browser cache

Fortunately, you can achieve it programmatically as well. Though the Forge Authentication API does not yet provide a relevant endpoint for this functionality you can use "https://accounts.autodesk.com/Authentication/LogOut" instead the following way:

1) Create a hidden iFrame element in your html page:

<iframe id="hiddenFrame" style="visibility: hidden" />

2) Set its source to "https://accounts.autodesk.com/Authentication/LogOut" when the user wants to log out

$('#hiddenFrame').attr('src', 'https://accounts.autodesk.com/Authentication/LogOut');

Done! :)

If on log out you also reload the webpage to clear all the content, then make sure you only do that once the iFrame loaded the LogOut page. You could do it by listening to the onLoad event of the iFrame:

function logoff() {
    // Subscribe to the load event to see
    // when the LogOut page got loaded
    $('#hiddenFrame').load(function(event){

        // Unsubscribe from event
        $("#hiddenFrame").off("load");

        // Tell the server to clear session data
        $.ajax({
            url: '/user/logoff',
            success: function (oauthUrl) {
                // Reload the page 
                location.href = oauthUrl;
            }
        });
    });

    // Load the LogOut page
    $('#hiddenFrame').attr('src', 'https://accounts.autodesk.com/Authentication/LogOut');
}

Another way you can force the login page to appear (so that the user can log in with a different account) is to call the authorize endpoint with the prompt=login query string parameter.

 

Related Article