Cycle Portal and Community Logout
I just noticed something with the community site. When I log out of the Cycle portal, it doesn't log me out of the community site. I have to log out manually from the community site.
However, if I log out of the community site, it logs me out of the Cycle portal.
Sometimes I have to log in to different Cycle accounts depending on the project I'm working on, so I almost posted as someone else on the community site by accident even though I logged into my main account on the portal.
Hey Andrew,
Thanks for reporting this. You're indeed correct, and it has to do with the way we've set up the auth to share with the portal. If you don't mind the technical details, keep reading for an explanation, but tldr; yes logging out portal side isn't working 'correctly' on community, but logging out of community is the sure-fire way (for now) to log out of both.
Technical reason:
The community site we're on right now has a session cookie created separately from the portal, and has a 1hr time limited access token embedded inside. Community, being under the cycle.io domain, has access to our 'http only' secure auth cookie that you receive when logging into the portal. When you load community, it immediately makes a request to our auth service, and since it has a valid cookie, generates the temporary access token. The session for community holds that access token (it has NO authority to read the auth cookie for generating it directly, and neither does portal), and it handles managing that session and embedded access token automatically.
When you log out on community, we can easily delete that session cookie that is generated here, but when you log out on portal, it doesn't have a good way to delete the session cookie for the parent domain, due to browser sandboxing and the fact that the session cookie generated by community is 'http-only', so JS doesn't have any access to it.
That said, the proper way we're planning to resolve this is having a more dedicated login system for community that fully utilizes our auth system, via a 'login with Cycle' option. It's set up to do full OAuth authorizations on your cycle account's behalf, but we haven't gotten to building a proper login UI for it yet. I don't have a date for you yet, but its on our roadmap. Once that is up, you'll be able to use different accounts from portal/community as desired. This was a quicker way to getting access to community to everyone, with the unfortunate side-effect that you're seeing today.
I know that's a pretty technical explanation, but hopefully it explains the issue you're seeing fully!
Ah okay so the community site relies on the portal's authentication system but manages its own session and access token. That makes sense. I understand why you took that approach. Thank you for the in-depth explanation and the quick response! This is not a big deal at all and I will keep this in mind going forward.
Yep, any time! We'll get to a more complete solution in the future, I've got some great plans for a real 'Sign in with Cycle' option.