How to log embed users out of Looker when they log out of the application?

Knowledge Drop

Last tested: May 7, 2020
 

The Problem

An application will log embed users into Looker, but when they log out of the application, they will not be logged out of Looker.

A Solution

Looker does not use a /logout endpoint for web sessions. Instead, you will need to make calls to Looker's user_sessions endpoints when the embed user is logging out of the your application

  1. Get the user's session_id from the GET all_web_login_sessions endpoint
  2. Delete the session_id using the delete_user_sessions endpoint

Voila, the user's Looker session is deleted when they log out of the application.

Since this solution can be difficult to implement and may not perfectly fit your requirements, there is a Feature request to have a way of terminating the Looker session through the parent app directly: Allow terminating SSO embedded session for an externa_user_id.

This content is subject to limited support.                

Comments
KatieK
Participant I

Thank you for providing this explanation! I’m surprised this is not discussed more in the Looker documentation, as it is seems like it should be a major security concern for any application using Embedded SSO.

  1. I don’t have access to the feature request you linked to, is there an ETA on this enhancement?
  1. I’m looking at using all_web_login_sessions, as you suggested, but it returns all session ids for a user, where I only want the session id for the browser session they want to log out of. Are there any recommendations for identifying the correct session?

I noticed in Developer Tools that there is a logout endpoint that does work for embedded users (POST /logout), but it looks like the CSRF protection would prevent our wrapper application from utilizing it. (our looker instance is on a subdomain of our wrapper application, but the CSRF-TOKEN cookie seems to use the full looker url as domain)

pjsundhar
New Member

We are currently using embedded reports and there is a security concerns around logging the user out. Any help is appreciated. /logout/embed with CORS by-passed would be great. 

Version history
Last update:
‎07-07-2021 01:14 PM
Updated by: