Last tested: May 7, 2020
An application will log embed users into Looker, but when they log out of the application, they will not be logged out of Looker.
Looker does not use a /logout endpoint for web sessions. Instead, you will need to make calls to Looker's user_sessions endpoints when the embed user is logging out of the your application
- Get the user's session_id from the GET all_web_login_sessions endpoint
- Delete the session_id using the delete_user_sessions endpoint
Voila, the user's Looker session is deleted when they log out of the application.
Since this solution can be difficult to implement and may not perfectly fit your requirements, there is a Feature request to have a way of terminating the Looker session through the parent app directly: Allow terminating SSO embedded session for an externa_user_id.
Thank you for providing this explanation! I’m surprised this is not discussed more in the Looker documentation, as it is seems like it should be a major security concern for any application using Embedded SSO.
I noticed in Developer Tools that there is a logout endpoint that does work for embedded users (POST /logout), but it looks like the CSRF protection would prevent our wrapper application from utilizing it. (our looker instance is on a subdomain of our wrapper application, but the CSRF-TOKEN cookie seems to use the full looker url as domain)
We are currently using embedded reports and there is a security concerns around logging the user out. Any help is appreciated. /logout/embed with CORS by-passed would be great.