Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #13499 Add Logout endpoint to OpenID Connect plug-in
    Actions
    Infos
    #13499
    Gerke Max Preussner (gmpreussner)
    2021-04-19 07:27
    2019-06-18 05:02
    14607
    Details
    Add Logout endpoint to OpenID Connect plug-in
    The OpenID spec does not currently include Single-Sign-Out. However, many identity providers, such as Google and Yahoo support a logout URL that can be called to sign out a user from the IdP and not just locally.

    Please add a "Logout endpoint" to the existing OpenID Connect plug-in configuration that will be called when the user clicks the logout button or navigates to /account/logout and the provider is set as a "Unique Authentication Source".
    Empty
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Acknowledged
    Empty
    Attachments
    Artifact links
    Empty
    Empty
    References
    References list is empty
    Display settings

    Follow-ups

    User avatar
    Gerke Max Preussner (gmpreussner)2019-07-23 21:58
    Just to clarify the motivation for my request: I am using Tuleap with an OpenID provider as the only authentication source. There is currently no way to really log out the user, because the OpenID provider does not know about it. When the user clicks the "Logout" link on the Tuleap web site, the user is temporarily logged out of Tuleap. However, when the user visits the Tuleap web site again, they are automatically logged in (via redirect through the OpenID provider), because the OpenID provider considers the user still to be logged in. As a result, it is currently impossible to log in as a different user. The only workaround I know is to open the Tuleap web site in a private tab, so that the authentication token are not persisted.
    User avatar
    Gerke Max Preussner (gmpreussner)2019-06-24 02:06
    Thanks for the follow-up, Thomas. You are right, of course. There is currently no standardized logout between popular providers. What I am suggesting is the adding of a setting in the OpenID plugin where the Tuleap administrator can specify an arbitrary logout URL that the user's browser is redirected to when the Logout button is clicked. For example, for the Google IdP one could then provide something like https://www.google.com/accounts/Logout?continue=https://example.com/
    User avatar
    Thomas Gerbet (tgerbet)2019-06-19 16:21
    Hi,

    So technically there is a draft specification [0] about session management with OpenID Connect. As of today, Tuleap does not implement it.

    I took a look at the discovery document of the two OIDC providers you mentioned (Google and Yahoo) and it seems they do not expose an end_session_endpoint URL.


    It's unlikely that Tuleap as part of the OpenID Connect Client plugin starts supporting things that are not in the specifications for some providers. The OIDC specification is already complex enough as it is.


    [0] https://openid.net/specs/openid-connect-session-1_0.html
    • Status changed from New to Acknowledged
    • Reported in version changed from 11.2 to All
    • Platform cleared values: EL7 (CentOS|RHEL)