rabbitmq-server
rabbitmq-server copied to clipboard
rabbitmq
Support OIDC Front-channel Logout
Is your feature request related to a problem? Please describe.
Log out users directly from the Identity Provider (a.k.a OP) using OIDC Front-channel Logout mechanism. This is also known as OP Initiated Logout.
Up until now, users could only close their sessions thru RabbitMQ Management UI itself.
Describe the solution you'd like
Expose an endpoint in the Management UI which handles OIDC Front-channel Logout requests. It should validate the logout token, and if it is valid, it should clear any session's state relative to the user and redirect to the home page.
IMPORTANT: There is a possibility that this feature cannot be implemented due to cross-origin issues. The Idp calls the logout request from an iframe and modern browsers will block access to cookies and local storage from a different origin. The alternative provided by OIDC specification is to use back-channel logout. But this alternative does not work for RabbitMQ because there is no state maintained in the backend, but in the browser.
Describe alternatives you've considered
No response
Additional context
This feature request was suggested by this discussion
