-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Send id_token_hint
with OIDC logout
#62
Comments
Easier said than done - currently the ID token is not stored anywhere... :/ |
As far as I understand it, this parameter is required to log out from just a single service. If it's missing, the OpenID provider would ask the user whether to log out of the provider itself instead of the application they came from. If this is not an easy fix, then this issue can perhaps be kept open as a feature request? |
Sure, we can keep it open. Regarding the other point, when you do a SSO logout you usually want to log out everywhere. For just logging our from Indico you wouldn't redirect to the OIDC logout endpoint at all. You can set |
Depends on the application I guess. If an application offers a logout button, I usually expect to be logged out from that application, not from all applications. At least the logout page should give me both options. |
I just stumbled upon this today and found out that if the application is connected to a Keycloak instance as OP, it can either send the
|
I encountered this problem also in recent Keycloak releases (reproduced on KC21.1.1 from quay).
Now when I click logout, instead of an error, I got the Kecloak screen asking me if I want to logout and then redirect me to the post_logout_redirect_uri. Would be fine if this change could be published. |
Fixes an error on keycloak ( there either `client_id` or `id_token_hint` is required) Fixes: indico#62
Fixes an error on keycloak ( there either `client_id` or `id_token_hint` is required) Fixes: indico#62
OIDC logout requests have an
id_token_hint
parameter. This parameter is not required, but recommended by spec and some providers may not be able to properly terminate a user session if that parameter is missing.They then just delete the cookies, but not end the session.(see below) It would be nice if this parameter could be added. This should be the right place:flask-multipass/flask_multipass/providers/authlib.py
Line 108 in a469d51
The text was updated successfully, but these errors were encountered: