Session aware logout, backend logout url approach

[babs]

Description

This PR implements backend logout approach, might be better than #1875 and might also satisfy #884

Motivation and Context

Implement backend logout.

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[babs]

I can't do much for legacyProviderFlagSet LoC count :/

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[babs]

Still relevant;)

[JoelSpeed]

Apologies for not getting to this, I hope to review soon, looks like there are a couple of conflicts in the keycloak code at the moment, do we want to get those resolved?

[babs]

Conflicts resolved, ready to merge.

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[babs]

Not stale

[gchait]

Thank you for that, would love to see it merged soon!

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[babs]

Still relevent

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[babs]

.

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[babs]

.

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[babs]

Rebased against master

[babs]

Rebased against master

[andrewkcarter]

Excellent. When is the next release scheduled?

[redboxstudio]

Hello, please write some documentation, the description is scant, what should I do about it? do I understand correctly that the application should follow http://app.app.example/logout where nginx location follows in
this link http://localhost:4180/oauth2/sign_out?rd=http://localhost:8080/auth/realms/testrealm/protocol/openid-connect/logout?id_token_hint={id_token}%26post_logout_redirect_uri=http:// localhost:4180/
what then should be in the backend-logout-url

[babs]

Several logout methods has been considered but as id_token is a pretty sensitive information, backend logout has beeen privilegied.

You have to consider 2 course of actions when you send the browser to the sign_out endpoint, running in parallel:

• Client side you want the browser to be redirected on a gien url (the rd parameter in qs)
• Server to server call from oauth2-proxy to your oidc provider (keycloak) through a secure channel with pattern replacement containing the sensitive info

So http://localhost:8080/auth/realms/testrealm/protocol/openid-connect/logout?id_token_hint={id_token} goes into --backend-logout-url and http://localhost:4180/ goes to rd argument of sign_out.

[ch08532]

Hello, please write some documentation, the description is scant, what should I do about it? do I understand correctly that the application should follow http://app.app.example/logout where nginx location follows in this link http://localhost:4180/oauth2/sign_out?rd=http://localhost:8080/auth/realms/testrealm/protocol/openid-connect/logout?id_token_hint={id_token}%26post_logout_redirect_uri=http:// localhost:4180/ what then should be in the backend-logout-url

I was able to get this to work with NGINX proxy and Keycloak OIDC provider:

OAuth2proxy config file entry:

backend_logout_url="http://keycloak.local/realms/redeye/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fapp.local&id_token_hint={id_token}"

NGINX entry:

# Logout route
location /logout {
        proxy_pass http://oauth2-proxy:4180/oauth2/sign_out; 

        include       /etc/nginx/proxy_params;
        proxy_set_header Cookie                  $http_cookie;  # Forward session cookies
    }

[babs]

Good news.
But again you don't need to specify post_logout_redirect_uri keycloak parameter in oauth2-proxy's backend_logout_url option.

[ch08532]

Good news. But again you don't need to specify post_logout_redirect_uri keycloak parameter in oauth2-proxy's backend_logout_url option.

Thanks for the response! I tested it, and it works just as you described. Here's an updated config snippet for reference to help others:

backend_logout_url="http://keycloak.local/realms/redeye/protocol/openid-connect/logout?id_token_hint={id_token}"

[babs]

Glad to hear that ;)

[redboxstudio]

Good news. But again you don't need to specify post_logout_redirect_uri keycloak parameter in oauth2-proxy's backend_logout_url option.

Why? How to back in app?
mb this need add to nginx conf ?
location /logout {
proxy_pass http://oauth2-proxy:4180/oauth2/sign_out?rd=https://myapp.local;

[babs]

More like that, yes ;)