Skip to content

Log the user out of One Login when their form is submitted#2070

Merged
stephencdaly merged 4 commits intomainfrom
log-user-out-when-they-submit
Apr 29, 2026
Merged

Log the user out of One Login when their form is submitted#2070
stephencdaly merged 4 commits intomainfrom
log-user-out-when-they-submit

Conversation

@stephencdaly
Copy link
Copy Markdown
Contributor

@stephencdaly stephencdaly commented Apr 28, 2026
edited
Loading

What problem does this pull request solve?

Trello card: https://trello.com/c/tKtA1VPQ/2858-create-integration-with-one-login

As per the One Login technical documentation, we should build functionality to log the user out to prevent risk of users accidentally sharing sessions. The docs say this can be done by coding the submit button to automatically log the user out.

Handle logging the user out by:

  1. Storing the auth token we get from One Login when the user logs in, this is needed to log out
  2. Redirecting the user to the One Login logout URL when they click the submit button, after we've handled submission
  3. Handling the user being returned to us after logging out to show them the form submitted page

If the user's session cookie has been lost and we're unable to determine the form path parameters after they've been returned to us, let an exception bubble up and show an internal error page for now. We're currently discussing whether we can show something more friendly to the user.

Local testing

Add http://localhost:3001/auth/logged-out to the Post logout redirect URIs (optional) in the one login admin tool

Screenshot 2026-04-29 at 15 27 35

To see that it's logged you out, you can complete a form and log in with One Login. After submitting, try to complete another form and you should be asked to log in again if you want a copy of your answers.

Things to consider when reviewing

  • Ensure that you consider the wider context.
  • Does it work when run on your machine?
  • Is it clear what the code is doing?
  • Do the commit messages explain why the changes were made?
  • Are there all the unit tests needed?
  • Do the end to end tests need updating before these changes will pass?
  • Has all relevant documentation been updated?

@stephencdaly stephencdaly force-pushed the log-user-out-when-they-submit branch 5 times, most recently from 8461b02 to 8cf9a2d Compare April 28, 2026 15:22
@stephencdaly stephencdaly marked this pull request as ready for review April 28, 2026 15:24
@stephencdaly stephencdaly force-pushed the log-user-out-when-they-submit branch 3 times, most recently from 50b1c1c to 00e0590 Compare April 29, 2026 14:16
@stephencdaly
Store auth token on session
4f4fa5e 
Store the auth token returned by One Login in the session so we can
use it to log the user out when they submit their form.
@stephencdaly
Log the user out of One Login when they submit their form
d7cba7a 
If the user has an active session with One Login, redirect the user
to the One Login logout URL when they submit their form. We provide
a token and a post logout redirect URL to receive the user back after
they've been logged out.

Store the form path params on the session before redirecting. We will
have already stored these before they logged in with One Login, but
we set them again in case they were also filling out another form in
a different browser tab.
@stephencdaly
Handle post logout callback from One Login
e9acc65 
When One Login redirects the user back to us after logging out,
retrieve the form path parameters from the session to redirect to the
submitted page.

If the user's session cookie has been lost and we're unable to
determine the form path parameters, let an exception bubble up and
show an internal error page for now. We'll probably update this to
show something more user friendly in a future commit.
@stephencdaly
Wrap auth logic in AuthService
cb1c4a1 
This avoids having to keep track of the multiple store classes we now
have in the controllers, and removes some logic from the controllers.

Hopefully this makes it a bit easier to see what's involved in the
auth process.
@stephencdaly stephencdaly force-pushed the log-user-out-when-they-submit branch from 00e0590 to cb1c4a1 Compare April 29, 2026 14:21
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 29, 2026

🎉 A review copy of this PR has been deployed! You can reach it at: https://pr-2070.submit.review.forms.service.gov.uk/

It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
to debug, or otherwise ask an infrastructure person.

For the sign in details and more information, see the review apps wiki page.

DavidBiddle
DavidBiddle approved these changes Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@DavidBiddle DavidBiddle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good and the logout works for me locally 🎉

@stephencdaly stephencdaly added this pull request to the merge queue Apr 29, 2026
Merged via the queue into main with commit b31c63c Apr 29, 2026
4 checks passed
@stephencdaly stephencdaly deleted the log-user-out-when-they-submit branch April 29, 2026 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DavidBiddle DavidBiddle DavidBiddle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stephencdaly @DavidBiddle