Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Send id_token_hint with OIDC logout #62

Open
defnull opened this issue Aug 9, 2022 · 6 comments · May be fixed by #101
Open

Send id_token_hint with OIDC logout #62

defnull opened this issue Aug 9, 2022 · 6 comments · May be fixed by #101

Comments

@defnull
Copy link

defnull commented Aug 9, 2022

OIDC logout requests have an id_token_hint parameter. This parameter is not required, but recommended by spec and some providers may not be able to properly terminate a user session if that parameter is missing. They then just delete the cookies, but not end the session. (see below) It would be nice if this parameter could be added. This should be the right place:

query = url_encode({'post_logout_redirect_uri': return_url})

@ThiefMaster
Copy link
Member

Easier said than done - currently the ID token is not stored anywhere... :/

@defnull
Copy link
Author

defnull commented Aug 10, 2022

As far as I understand it, this parameter is required to log out from just a single service. If it's missing, the OpenID provider would ask the user whether to log out of the provider itself instead of the application they came from.

If this is not an easy fix, then this issue can perhaps be kept open as a feature request?

@ThiefMaster
Copy link
Member

Sure, we can keep it open.

Regarding the other point, when you do a SSO logout you usually want to log out everywhere. For just logging our from Indico you wouldn't redirect to the OIDC logout endpoint at all. You can set 'logout_uri': None in the config to disable it (see the relevant code).

@defnull
Copy link
Author

defnull commented Aug 10, 2022

Depends on the application I guess. If an application offers a logout button, I usually expect to be logged out from that application, not from all applications. At least the logout page should give me both options.
For an application logout on a trusted computer, it may be enough to remove some cookies and just 'forget' the refresh token, but for a secure logout the refresh token should also be revoked, so it cannot be used to continue the session later. So, either the application has to keep track of logged-out sessions for as long as their refresh token may be valid, or the SSO provider should be asked to revoke the refresh token. This is exactly what a logout with id_token_hint does, as far as I understand it.

@wetzel-desy
Copy link

wetzel-desy commented Feb 16, 2023

I just stumbled upon this today and found out that if the application is connected to a Keycloak instance as OP, it can either send the id_token_hint or the client_id with the post_logout_redirect_uri. The latter might be easier to use as the client_id is already in the multipass-config, right? I also tested the logout functionality with an indico instance connected to Keycloak and modifying the URL in the browser by adding &client_id=$CLIENT_ID (with the correct ID, course) let me log out regularly.
Relevant documentation excerpt:

After logout, the user will be automatically redirected to the specified post_logout_redirect_uri as long as it is provided. Note that you need to include either the client_id or id_token_hint parameter in case that post_logout_redirect_uri is included.

@rabser
Copy link

rabser commented Jul 26, 2023

I encountered this problem also in recent Keycloak releases (reproduced on KC21.1.1 from quay).
I SOLVED changing the suggested file as follow:

            client_id = self.authlib_settings['client_id']
            query = url_encode({'post_logout_redirect_uri': return_url, 'client_id': client_id})

Now when I click logout, instead of an error, I got the Kecloak screen asking me if I want to logout and then redirect me to the post_logout_redirect_uri.

Would be fine if this change could be published.

bpedersen2 added a commit to bpedersen2/flask-multipass that referenced this issue Dec 5, 2024
Fixes an error on keycloak ( there either `client_id` or
`id_token_hint` is required)

Fixes: indico#62
bpedersen2 added a commit to bpedersen2/flask-multipass that referenced this issue Dec 5, 2024
Fixes an error on keycloak ( there either `client_id` or
`id_token_hint` is required)

Fixes: indico#62
@bpedersen2 bpedersen2 linked a pull request Dec 5, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants