request #13499 Add Logout endpoint to OpenID Connect plug-in
    Gerke Max Preussner (gmpreussner)
    2019-07-23 21:58
    2019-06-18 05:02
    Add Logout endpoint to OpenID Connect plug-in
    The OpenID spec does not currently include Single-Sign-Out. However, many identity providers, such as Google and Yahoo support a logout URL that can be called to sign out a user from the IdP and not just locally.

    Please add a "Logout endpoint" to the existing OpenID Connect plug-in configuration that will be called when the user clicks the logout button or navigates to /account/logout and the provider is set as a "Unique Authentication Source".
    References list is empty


    • User avatar
      Just to clarify the motivation for my request: I am using Tuleap with an OpenID provider as the only authentication source. There is currently no way to really log out the user, because the OpenID provider does not know about it. When the user clicks the "Logout" link on the Tuleap web site, the user is temporarily logged out of Tuleap. However, when the user visits the Tuleap web site again, they are automatically logged in (via redirect through the OpenID provider), because the OpenID provider considers the user still to be logged in. As a result, it is currently impossible to log in as a different user. The only workaround I know is to open the Tuleap web site in a private tab, so that the authentication token are not persisted.
    • User avatar
      Thanks for the follow-up, Thomas. You are right, of course. There is currently no standardized logout between popular providers. What I am suggesting is the adding of a setting in the OpenID plugin where the Tuleap administrator can specify an arbitrary logout URL that the user's browser is redirected to when the Logout button is clicked. For example, for the Google IdP one could then provide something like https://www.google.com/accounts/Logout?continue=https://example.com/
    • User avatar

      So technically there is a draft specification [0] about session management with OpenID Connect. As of today, Tuleap does not implement it.

      I took a look at the discovery document of the two OIDC providers you mentioned (Google and Yahoo) and it seems they do not expose an end_session_endpoint URL.

      It's unlikely that Tuleap as part of the OpenID Connect Client plugin starts supporting things that are not in the specifications for some providers. The OIDC specification is already complex enough as it is.

      [0] https://openid.net/specs/openid-connect-session-1_0.html

      • Status changed from New to Acknowledged
      • Reported in version changed from 11.2 to All
      • Platform cleared values: CentOS 7