Session aware sign_out for redirect {id_token} placeholder replacement
#1875
Conversation
…ment
Try to load the session at sign_out to handle redirect's placeholder replacement: `${id_token}`
Allow usage of `${id_token}` as a `rd` parameter placeholder for newer keycloak, example:
http://localhost:4180/oauth2/sign_out?rd=http://localhost:8080/auth/realms/testrealm/protocol/openid-connect/logout?id_token_hint={id_token}%26post_logout_redirect_uri=http://localhost:4180/
|
An option could be an oauth2-proxy to provider call but might require to add a new option to specify the logout URL including arguments and placeholders as it's not covered by the standard :/ Edit: #1876 |
${id_token} placeholder replacement{id_token} placeholder replacement
Apologies, I haven't been able to get to this project much lately. But, this is kind of what I was expecting. My understanding was that there's a logout URL in the OIDC discovery document that we can cache and then, with some token, send a request to that to log the session out, is this not a standard thing? Do you know at all? |
|
The code here looks pretty simple, how generic is this approach? Are we expecting this could be flexible enough to work for the majority of providers? Are there providers that need anything other than the ID Token? I'm also wondering if we want to make this a configurable URL, I'd like to refactor the provider implementation at some point so you can add arbitrary params to each URL, so perhaps having some substitution in there isn't a bad thing 🤔 Feeling inspired right now 😅 |
|
I think it's a Keycloak specificity but I'm not specialist of others providers |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
Not stale. |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
still relevant IMHO |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
Still relevant |
|
I'd like to see if there's some generic use for this before we merge. Is there anything in the OIDC spec that details how logouts should work? If this is something that's provider specific then we should probably look at implementing it directly in a provider specific logout and not require users to have to hack around it |
|
There is no standard unfortunately :/ |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
Not stale |
|
yes, I think backend logout is way more secure than redirect. |
|
Closing in favour of #1876. |
Description
Try to load the session at sign_out to handle redirect's placeholder replacement:
${id_token}Allow usage of
{id_token}as ardparameter placeholder for newer keycloak, example:http://localhost:4180/oauth2/sign_out?rd=http://localhost:8080/auth/realms/testrealm/protocol/openid-connect/logout?id_token_hint={id_token}%26post_logout_redirect_uri=http://localhost:4180/
Motivation and Context
Might be a start for closing #884
How Has This Been Tested?
Tested against local keycloak using a
testrealmand atestapplistening on 8080.The demo link leads to the root path of the app with a properly signed out session from both keycloak and oauth2-proxy
Checklist: