Skip to content

OIDC RP-Initiated logout #4714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Dec 7, 2023
Merged

OIDC RP-Initiated logout #4714

merged 8 commits into from
Dec 7, 2023

Conversation

ssddanbrown
Copy link
Member

@ssddanbrown ssddanbrown commented Dec 6, 2023
edited
Loading

Continuation of #4467.

https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Todo

  • Add auto-discovery support.
  • Allow disabling via config option.
  • Testing
    • PHP Unit Coverage
    • Manual test on providers:
      • Okta
      • KeyCloak
      • Azure
      • Authentik
      • Auth0 (If supports)
    • Manual re-test of SAML2 logout with auto-initate on/off.
    • Manual re-test of OIDC logout with auto-initate on/off, with RP-initated logout on/off.
    • Manual re-test of custom social driver usage (specifically appearance/use in multiple parts of the app).
    • Test of auto-initate login and logout handling when lone custom social driver active.

Questionables

  • Can an OP error if a post_logout_redirect_uri is provided that doesn't meet spec (which we cannot check dynamically as config is OP side).
    • Answer: From testing, an OP will reject the request if an non-expected redirect URI is provided. Without a redirect URI you can be left at the OP system sign-in page, so don't think sending without a redirect URI by default is sensible.

Notes

  • Okta is really strict when it comes to redirect URIs, they had to match exactly, including query params (?prevent_auto_init=true) otherwise an error would be thrown pre-okta-signout. Might need to specify the adding of all URL possibilities. Also makes it more important that we never (or very rarely) change these.
  • Azure didn't require any logout redirect URLs to be provided, just returned as desired.
  • Looks like Auth0 do support RP-initiated logout but the endpoint via autodiscovery wasn't active for me, maybe have to talk to support or something.
    • Manually using a <ISSUER>/oidc/logout worked okay for me.
    • Auth0 also strict on return URL like okta.
  • Keycloak strict on logout return URLs, although allow wildcards which is nice.
  • Authentik never redirects back, and provides the option to user to logout of all, or go back to BookStack. Not an issue, but a little different to others.

Docs updates

  • Update advisory to advise RP-initiated logout will be active if supported via discovery.
    • Changed plans to make non-enabled by default.
  • Update docs with logout info.
    • Specifically mention the requirement to configure the "Sign-out redirect URI" (or similar) on the identity provider.
    • Might need to detail specifics, including return URLs and the http/https caveat from the spec.

joancyho and others added 4 commits August 29, 2023 13:07
Fixed OIDC Logout
6b55104
Fixed OIDC Logout
a0942ef
@ssddanbrown
Merge branch 'fix/oidc-logout' into development
cc10d1d
@ssddanbrown
Auth: Refactored OIDC RP-logout PR code, Extracted logout
bba7dcc 
Extracted logout to the login service so the logic can be shared instead
of re-implemented at each stage. For this, the SocialAuthService was
split so the driver management is in its own class, so it can be used
elsewhere without use (or circular dependencies) of the
SocialAuthService.

During review of #4467
@ssddanbrown ssddanbrown added this to the Next Feature Release milestone Dec 6, 2023
@ssddanbrown ssddanbrown self-assigned this Dec 6, 2023
@ssddanbrown
OIDC RP Logout: Added autodiscovery support and test cases
f32cfb4
@ssddanbrown
Tests: Fixed debug test to work with social class changes
a72e0fe
@ssddanbrown
OIDC RP Logout: Fixed issues during testing
81d256a 
- Disabled by default due to strict rejection by auth systems.
- Fixed issue when autoloading logout URL, but not provided in
  autodiscovery response.
- Added proper handling for if the logout URL contains a query string
  already.
- Added extra tests to cover.
- Forced config endpoint to be used, if set as a string, instead of
  autodiscovery endpoint.
@ssddanbrown
OIDC: Update example env option to reflect correct default
7312300
@ssddanbrown ssddanbrown merged commit 4c0b7f3 into development Dec 7, 2023
@ssddanbrown ssddanbrown deleted the oidc_logout branch December 7, 2023 18:00
This was referenced Dec 7, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ssddanbrown ssddanbrown

Labels
📖 Docs Update 🚪 Authentication 🏭 Back-End
Milestone
v23.12
Development

Successfully merging this pull request may close these issues.
1 participant
@ssddanbrown