Merged
Conversation
When a user logs out in OIDC mode, Radar now redirects the browser to the identity provider's end_session_endpoint (discovered from the OIDC discovery document at startup) so the SSO session is also terminated. This prevents the issue where users are silently re-authenticated immediately after logout. - Store raw ID token in session cookie for use as id_token_hint - Extract end_session_endpoint from OIDC provider discovery at startup - Return redirect URL in logout JSON response for frontend to follow - Graceful fallback to local-only logout when IdP doesn't support it - New --auth-oidc-post-logout-redirect-url flag for post-logout redirect - Backward compatible with existing sessions (falls back to client_id)
…ion_endpoint For providers like Google that don't support RP-Initiated Logout, set a short-lived cookie on logout so the next auth request includes prompt=login, forcing the IdP to show a login screen instead of silently re-authenticating.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #381 — When a user clicks logout in OIDC mode, Radar now properly terminates the IdP session to prevent silent re-authentication.
Two complementary strategies based on IdP capabilities:
RP-Initiated Logout (Okta, Keycloak, Azure AD): Radar discovers the
end_session_endpointfrom the OIDC discovery document at startup, stores the raw ID token in the session cookie, and returns the IdP's logout URL to the frontend for redirect.prompt=loginfallback (Google, others withoutend_session_endpoint): On logout, Radar sets a short-lived cookie. The next auth request includesprompt=login, forcing the IdP to show a login screen instead of silently re-authenticating.Both strategies clear the local session first. The approach is logged at startup so operators know which path is active.
New flag:
--auth-oidc-post-logout-redirect-url(optional) — for RP-Initiated Logout, tells the IdP where to redirect after logout. Must be pre-registered with the IdP.Changes
internal/auth/oidc.go— Discoverend_session_endpoint,prompt=loginfallback via force-login cookie, rewrittenHandleLogoutpkg/auth/cookie.go— Store raw ID token in session cookie; addIDTokenFromCookieweb/src/components/UserMenu.tsx— Frontend followsredirectTofrom logout responsecmd/explorer/main.go— New--auth-oidc-post-logout-redirect-urlCLI flagdeploy/helm/radar/— Helm chart support for the new flagdocs/authentication.md— Logout behavior docs, config reference, troubleshooting