nextcloud
allow to set an optional logout url when using the environment variable authentication
In some case, when using the environment variable (ie. with CAS), a specific logout url is required to actually logout of nextcloud.
Allowing the admin to optionally set a custom logout url would actually allow a complete implementation of some SSO like CAS. Indeed, until this is possible, users won't be able to logout not until their CAS session actually expires (or until the user closes the browser) which is dangerous.
Please use the GitHub +1 feature instead of posting updates which sends notifications to everyone having posted in here. Thanks.
So, adding
* @NoCSRFRequired
to logout function here: https://github.com/nextcloud/server/blob/master/core/Controller/LoginController.php#L95
makes the url your.nextcloud.doman/logout log you out. This is of course then susceptible to CSRF attacks. Setting a custom url like your.nextcloud.doman/my_custom_url_logout would be security by obscurity so not much better. Personally for our (small uninmportant) site, I would be ok with disabling CSRF protection from logout (discussion of its merits is here: https://security.stackexchange.com/questions/62769/should-login-and-logout-action-have-csrf-protection ). Would a PR implementing this as a setting be accepted or something more complicated needs to be prepared (that would be far beyond my ability)?
Our use case is using https://github.com/soudis/discoursesso to sign in to our Discourse instance from Nextcloud. We would like to make sure users log out from Nextcloud when they log out from Discourse. Discourse allows in its settings to direct a user to a specific URL after logout - which Nextcloud does not allow.
Probably a better (but still hackish) solution is here: https://help.nextcloud.com/t/how-can-i-write-my-own-logout-page/14676
