Add client_id to OIDC logout request #12182
Conversation
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) |
|
@sfc-gh-nbellante this should fix most of this issue, as both bug reports mention adding client_id to url made it work. One comment by pallagj has me a bit worried though. Seems at least one provider also requires the id_token_hint for this to work. This is currently impossible to provide as it is not stored. I have a PR up that would make that possible too, but it is waiting behind a product manager currently on vacation, and is likely to need quite a few cycles of iteration if he has significant comments. What could potentially be done is to add a logout_at_provider parameter to |
|
Hi @velochy, First off, thank you so much for your drive and dedication in tackling this feature and the subsequent bug reports. We truly appreciate your thoughtful analysis and your quick work on a potential fix. The ability to properly handle provider-specific logout flows is a valuable addition that we want to include in Streamlit. Given the number of users impacted by the current regression, our immediate priority is to restore the original, stable behavior for everyone. To that end, we've decided the best course of action is to revert the initial change for now. We will be cutting a This is purely a short-term measure to ensure stability, and we are very keen to bring this functionality back in a future release. We are more than happy to review future PRs that re-introduce this feature, including the one you already have open to store the One of the key takeaways here is that identity provider integrations have many subtle differences. For us to ship this feature with confidence in the future, it will be critical to have broader test coverage that accounts for these edge cases. For transparency, we wanted to share our upcoming release schedule. Once we're all confident in the solution and its test coverage, these dates represent the next opportunities to get this functionality included. There's no rush at all, this is just for information purposes:
Thank you again for your incredible contributions and your proactive communication. We're looking forward to working with you to land this feature! |
…onfig (#11901)" (#12179) This reverts commit 98258bf. ## Describe your changes - For more details see this comment: #12182 (comment) ## GitHub Issue Link (if applicable) ## Testing Plan - Explanation of why no additional tests are needed - Unit Tests (JS and/or Python) - E2E Tests - Any manual testing needed? --- **Contribution License Agreement** By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.
…onfig (#11901)" (#12179) This reverts commit 98258bf. ## Describe your changes - For more details see this comment: #12182 (comment) ## GitHub Issue Link (if applicable) ## Testing Plan - Explanation of why no additional tests are needed - Unit Tests (JS and/or Python) - E2E Tests - Any manual testing needed? --- **Contribution License Agreement** By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.
|
@sfc-gh-bnisco thank you for the very thoughtful message. Honestly, in this situation, if it were my project I would likely make the same call. Safer to revert considering the people affected, especially considering it does seem some providers need the functionality that currently cannot be added. This is a feature I still need for my own project, so don't worry, I'll still be pushing it. But I'll try to get the tokens & refresh PR merged first, as that sets us up for success on this :) |
…2) (#12693) ## Describe your changes Currently, st.logout ignores end_session_endpoint (ESE) in the OIDC configuration. This can cause issues, as some OIDC providers keep their own cookies and skip the login screen if they have an active session. This change: a) Writes the name of provider into the session cookie (so it would be clear which provider the user is currently logged into) b) Makes st.logout redirect to ESE if one is provided This is a revised version of #11901 to adress the issues raised in #12144 (comment) Most notably: 1) client_id is added to ESE request (original issue, with attempted fix at #12182) 2) id_token_hint is also added (addressing #12144 (comment)) 3) ESE request redirect target it changed to /oauth2callback (adressing #12144 (comment)) This is a follow-up to #12044 ## GitHub Issue Link (if applicable) Closes #11900 ## Testing Plan - unit tests added both for a case where ESE is provided as well as when not --- **Contribution License Agreement** By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license. --------- Co-authored-by: Vincent Donato <vincent@streamlit.io> Co-authored-by: Ken McGrady <ken.mcgrady@gmail.com>
Describe your changes
Hotfix to the OIDC logout PR merged in 1.47 that neglected to include client_id that is usually optional but seems to be required by some OIDC providers.
GitHub Issue Link (if applicable)
#12144
#12169
Testing Plan
Contribution License Agreement
By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.