xperseguers
Logout from TYPO3
If the user logs out from OP(OpenID Provider), he is still logged in TYPO3 (cookie). How to detect if user is still logged in OpenID Provider ?
@funkyferdy Did you solve this? I could think of either:
- implementing some "logout" callback to TYPO3 from OP but that would be awkward
- checking session validity with each page call, definitely inefficient
- some scheduler task which invalidates outdated active sessions
- anything else?
What about backchannel-ing the logout request? For more information, see:
- https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f
- https://medium.com/@piraveenaparalogarajah/openid-connect-back-channel-logout-1-0-fe1f90c83fe5
Missed this question :)
checking session validity with each page call, definitely inefficient Well this is one of the ways that as example wso2 has to "synchronise" Session. https://medium.com/@piraveenaparalogarajah/openid-connect-session-management-dc6a65040cc https://medium.com/@piraveenaparalogarajah/openid-connect-session-management-support-in-wso2-is-8935d80b6437
I think this heavly depends what "vendor" is behind the identity server and version/features avaiable in the solutions regarding this topic.
We solved this by adding additional columns to the fe_sessions table where we save the session_state from the OP after login. We then provide a API route for backchannel logout as suggest by @ChrisMuc that deletes the TYPO3 session with a matching session_state. For this, we had create a new session backend (i.e. extend the existing session backend). I don't know, if this should be part of the oidc extension though.
I think it makes sense to provide a generic logout-URL. Whether this can be used or not of course still depends on the IdP. Microsoft, for instance, supports logout URLs in the Client registration data.
To have the spec links here too: https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html