Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for OIDC Logout URL Generation #338

Open
arhea opened this issue May 17, 2024 · 2 comments
Open

Support for OIDC Logout URL Generation #338

arhea opened this issue May 17, 2024 · 2 comments

Comments

@arhea
Copy link

arhea commented May 17, 2024

OIDC and other SSO integrations support redirecting the user or calling a logout endpoint. Often, an enterprise requirement is to log the user completely out of the application and the identity provider to meet security requirements.

For example, if the user authenticates with OIDC to your application, then logs out of your application. Simply clicking login again, the user will likely not be prompted to sign in to the identity provider again and be automatically logged back in.

To combat this, OIDC implemented RP-Initiated Logout, which allows applications to send the user on logout to the Idp to be completed logged out.

This request is to add GetLogoutURL in the same style as the GetAuthorizationURL API that would build the URL for logging out the user. This method is needed because it requires access to the Well-Known config which is not readily available in the client (it can be done but requires extra code).

Ideally, the SDK would work as follows:

logoutURL, err := client.GetLogoutURL(opts GetLogoutURLOpts{
    RedirectUri: "", // required, where to land after logging out
    State: "", // optional, optional state parameter for the client
    Locale: "", // optional, hint to language of the user
}) 

The API would already know the Client ID and ID Token which are required by OIDC.

@yagupta
Copy link

yagupta commented Jul 9, 2024

++ same problem

@johnpudd-ec
Copy link

Same here. Without the ability to sign out of the provider, the user never really completes a logout. Although the session maybe ended, the next time the user tries to login, they are automatically logged in with whichever account they used last time.

The user needs to be able to logout fully, and have the option to select a different account the next time they click login.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants