external-auth-server icon indicating copy to clipboard operation
external-auth-server copied to clipboard

Published 20 hours ago verified publisher icon travisghansen

No OIDC frontchannel logout when session_state is missing in the ID token

Open djbgeodan opened this issue 2 years ago • 5 comments
trafficstars

Hi Travis,

We use the OIDC plugin with a external IdD. This works great, except the the logout at the IdP does not take place, when the logout handler is called. I think it is caused by the fact that the ID token does not contain the session_state claim. https://github.com/travisghansen/external-auth-server/blob/master/src/plugin/oauth/index.js#L1515C39-L1515C39

In the code there is the comment TODO: this check may not be entirely needed/wanted . So my question is, can this condition be removed?

Regards, Dirk-Jan

djbgeodan avatar Oct 03 '23 07:10 djbgeodan

Reading through some docs and rfcs I think it can be removed. It appears to me that field in the id token is not necessarily common (may be a keycloak-centric behavior) and has no direct tie to the logout functionality. It may be a hint the provider actually supports logout but otherwise seems to have no bearing on the logout process.

I can make the change when I get a moment or you are welcome to submit a PR I can merge.

travisghansen avatar Oct 03 '23 19:10 travisghansen

Can you test using the next image tag? It’s a mutable tag so make sure your cluster pulls the newest revision.

travisghansen avatar Oct 04 '23 14:10 travisghansen

Thanks, I've tested it. It's solves our logout issue.

djbgeodan avatar Oct 05 '23 07:10 djbgeodan

I’ve just committed a small change in that same area of code. Can you pull the most recent next image and ensure everything still works as needed?

travisghansen avatar Oct 05 '23 16:10 travisghansen

I've tested it. All seems to work fine.

djbgeodan avatar Oct 11 '23 18:10 djbgeodan