-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for front-channel OIDC logout #105
Comments
As I understand it, what you are asking for is a front-channel logout implementation, but we support only RP-initiated OIDC logout (see PR #96 ). The difference is that in the case of front-channel logout, the initiator is the IdP, and logout is performed through an iframe mechanism, relying on |
@route443 Our initial idea was to create a keyval map on login, from |
As far as I understand, technically, we cannot create a mapping like this:
because if
where I have an idea of how this could be implemented, but the solution requires refinement... Question: whether you use only |
We will get both, so the map should then maybe include them both concatenated? Example:
Source in Norwegian for reference: https://docs.digdir.no/docs/idporten/oidc/oidc_func_sso.html#2-h%C3%A5ndtere-utlogging-fra-id-porten-front-channel-logout |
I’d prefer to avoid using |
Hi @anderius , I've added support for Front-Channel logout in a separate oidc-logout-handling branch. I would greatly appreciate if you could check these changes in your environment and provide any feedback. You can use openid_connect.js from this branch and make the following changes to your config:
keyval_zone zone=oidc_sids:1M state=/var/lib/nginx/state/oidc_sids.json timeout=8h;
keyval $idp_sid $client_sid zone=oidc_sids;
set $idp_sid "";
location = /front_channel_logout {
status_zone "OIDC logout";
add_header Cache-Control "no-store";
js_content oidc.handleFrontChannelLogout;
} Thank you in advance! |
Sorry for the long holiday, we will see if we can test the branch as soon as possible. |
This works, thank you @route443! 🎉 Just a small bug. The content-type when calling |
The current implementation relies on cookies for front-channel logout. As noted in the spec, this is increasingly problematic, as modern browsers will not send cookies with content in an iframe.
The solution is either to use back-channel logout (which my IdP does not support), or use the
sid
parameter from the id-token as a session identifier, as is optional in the spec.My feature request is that this oidc-implementation supports the
sid
parameter for front-channel logout.The text was updated successfully, but these errors were encountered: