OpenID Logout about ephios HOT 5 CLOSED

I suppose you need to hand something to the Identity Provider (token?) to reference the user that should be logged out? Do you know any documentation about how that should be done? If we need to pass something. we might not be able to include that as it would be provider-specific

Regarding the redirect afterwards I had a quick look at the code and https://github.com/H2CK/oidc/blob/master/lib/Controller/LogoutController.php#L266-L273 has a post_redirect_uri that can be passed. But again, this is specific to the provider and therefore can't make it into ephios core.

from ephios.

The functionality that you describe is not currently part of the OIDC specification. There are specific implementations for some Identity Providers, e.g. mozilla/mozilla-django-oidc#320 explains how to set this up with keycloak for our OIDC library. There is an additional spec (https://openid.net/specs/openid-connect-session-1_0.html) that is either in draft status or not yet implemented by Identity Providers, I wasn't quite sure which one is appropriate.

So the feature you requested would most probably need some specific code for nextcloud similar to the issue linked above unless you can just redirect the user to a URL on the nextcloud (GET request). But that would mean that the users always end up on the nextcloud login page after logging out from ephios

from ephios.

We did something similar between Nextcloud and Moodle. Here the endpoint index.php/apps/oidc/logout mentioned in the documentation of the Nextcloud OIDC Provider App can be specified in the Moodle OIDC plugin. As a result, the user is forwarded to Nextcloud and logged out when the logout button is clicked. Unfortunately, there is no redirection back to Moodle, but the successful logout does not create a security gap. So that would be preferable.

from ephios.

About the settings: The identity provider needs a front-channel logout URL from the client and the client needs an IdP logout endpoint. I think a redirect is nice to have, but not absolutely necessary.

Here is the documentation of the Nextcloud app for the logout:
https://github.com/H2CK/oidc#endpoints

I think this might be helpful (this is what the Nextcloud app documentation refers to):
https://openid.net/specs/openid-connect-rpinitiated-1_0.html

The moodle plugin is part of the Microsoft Office 365 implementation in moodle - unfortunately without detailed documentation on the logout.

from ephios.

Regarding the redirect afterwards I had a quick look at the code and https://github.com/H2CK/oidc/blob/master/lib/Controller/LogoutController.php#L266-L273 has a post_redirect_uri that can be passed. But again, this is specific to the provider and therefore can't make it into ephios core.

@pov91 maybe you can experiment a bit while setting the logout URL, if I understood that section correctly you should be able to append a post_redirect_uri to the LOGOUT_URL that you set within ephios so it gets passed to nextcloud which in turn should redirect you back to ephios

from ephios.