Support RP (Client) initiated logout #5350
Comments
jzheaux
added
New Feature
in: oauth2
|
@thomasdarimont, quick question about the way Keycloak supports RP-initiated logout. The way I read the spec for RP-logout:
is that the RP would do a redirect as opposed to a server-side call. Is a server-side call the preferred way in Keycloak, or is that just isolated to your sample? Also, I'm wondering if you see something different in the spec than I. We want to remain spec compliant in the implementations that Spring Security provides and hopefully make it easy to extend for folks who need to depart from the spec. Do you see a server-side call as within the bounds of the OpenID spec? I found the following article to be informative, relative to what kinds of flows are possible within the spec. |
|
In my example I do the logout behind the scenes since I want to stay in the application. Keycloak currently supports multiple ways to access the end_session endpoint:
The current version of Keycloak seems to lack support for the Front Channel logout though. I didn't have time to read the full article yet - will do and get back to this later. |
|
Cool, thanks for the links. Reading the Backchannel logout spec, it appears that is a way for RPs to register an endpoint and that the OP initiates the logout. Note that section 3, "RP-intiiated Logout Functionality" just refers back to the session management spec. |
jgrandja
changed the title
|
@jzheaux , any thoughts no whether this will get a new milestone attached? Is it a good candidate for contribution? Supporting RP-initiated logout is in my backlog right now. If it's over the horizon for framework support I'm happy to wait a little bit. If you think it's "stuck", if something I or my team would be working on in the next few months either way. |
|
@wtatum, yes, this task is a good candidate for contribution, thanks for asking. Would you be able to put together a PR by March (you mentioned that it may be on your backlog for a few months)? If so, the task is yours! Otherwise, I think there is a good chance I'll be able to tackle it myself before then. Essentially, it's a matter of creating a logout success handler that looks up the |
Yes, I think that's pretty likely. I'll keep you posted after the holidays. |
|
Hey, @wtatum, hope you had a nice holiday! Are you thinking you'd still like to contribute a PR for this task? If not, I believe I'll soon have time to take it up myself, so it's fine either way. |
|
@wtatum It looks like I'll go ahead and submit a PR for this. I'll reach out to you for feedback to see if it meets your needs. |
|
Sorry I sorry if dropped off the radar on this one. If you are able to take
it in then please go ahead. I'm happy to provide feedback.
Will
…On Tue, Jan 29, 2019, 7:55 PM Josh Cummings ***@***.*** wrote:
@wtatum <https://github.com/wtatum> It looks like I'll go ahead and
submit a PR for this. I'll reach out to you for feedback to see if it meets
your needs.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5350 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHOStXAI1nw2oeau3s4TQhuxNxnjFIGgks5vIO2JgaJpZM4T_zIH>
.
|
|
Hi Team, I have been looking for this for some days now. We have spring boot based application(s) using Okta as IDP, using okta spring boot starter - which inject Spring Security 5.1.5. With some efforts, I was able to configure gradle script where in my WAR file now have Spring Security 5.2.0.M4 jars. I am still unable to clear / kill Okta Session - after hitting default logout url. It is configured as link (app/logout) on app's UI - so no XHR - just link. Am I missing anything ? Vivek |
Uh oh!
There was an error while loading. Please reload this page.
Summary
end_session_endpoint is part of the OIDC spec:
http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
Additional Info
This is born out of some observations from @thomasdarimont in a OAuth github sample.
The text was updated successfully, but these errors were encountered: