rabbitmq-server icon indicating copy to clipboard operation
rabbitmq-server copied to clipboard

Published 20 hours ago verified publisher icon rabbitmq

OAuth 2: support logout when using IDP-initiated flows

Open MarcialRosales opened this issue 1 year ago • 0 comments

Describe the bug

This issue occurs when using idp-initiated configuration. This issue was found when testing oauth2-proxy example (https://rabbitmq.com/docs/oauth2-examples-proxy).

Reproduction steps

  1. Go to oauth2-proxy root url
  2. You are redirected to keycloak to login
  3. Upon successful logon, you are redirected to rabbitmq
  4. Click on logout
  5. You are wrongly redirected again back to RabbitMQ

Expected behavior

If end_session_endpoint is configured you should be redirected to that endpoint else to the management.oauth_provider_url.

If you are using oauth2-proxy, the /oauth2/sign_out is the logout endpoint. It removes the cookie associated to the authenticated oauth2-proxy user. However, you can pass a query parameter, rd, with the url for the identity provider to logout the user also from it. This is the configuration used in the oauth2-proxy example that configures the end_session_endpoint.

auth_oauth2.issuer = https://keycloak:8443/realms/test
auth_oauth2.end_session_endpoint = https://localhost:8442/oauth2/sign_out?rd=https://keycloak:8443/realms/test/protocol/openid-connect/logout

Additional context

No response

MarcialRosales avatar Oct 18 '24 09:10 MarcialRosales