Provider logout does not occur when destination is present

Created on 26 May 2022, almost 3 years ago
Updated 1 April 2025, 1 day ago

Problem/Motivation

As implemented in https://www.drupal.org/project/openid_connect/issues/3061438 , there is a "Logout from identity provider" setting. It works well if you simply go to the logout path, however if a destination parameter is present it does not occur.

When the module is configured to log out of the provider, the provider logout should triggered regardless of where the user indicates they want to go next.

Steps to reproduce

  1. Enable and configure a client that supports logging out of the identity provider (IdP)
  2. Log in via the client
  3. Go to the logout URL with a destination set (this will be most obvious if the destination is the login page)
  4. Observe that you are still logged in

Proposed resolution

This is related to the removal of drupal_goto() almost 10 years ago. If you look at the change record, there is a note right on it about the unexpected behavior. This module is getting around that problem during the authentication step by removing the destination parameter from the request (see OpenIDConnectClientBase->authorize()). It seems to make sense to do the same during logout when a TrustedRedirectResponse is being sent.

The unfortunate thing about this proposed resolution is that the destination will be lost. Potentially we could add the destination onto the logout redirect URL, but I am not sure if that is valid. My IdP states that it does not compare query parameters in the logout callback URLs, but it is not clear to me if that meets the OpenID Connect spec or not regarding wording around exact matches (does that include the query parameters?). If necessary to choose between logging out and going to the destination, it seems preferable to log the user out.

See https://www.drupal.org/node/2023537 .

When redirecting to an external location, use TrustedRedirectResponse. (Note that if Drupal has a destination set, it will unexpectedly override all redirects).

See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#rfc.section.3.

The OP also MUST NOT perform post-logout redirection if the post_logout_redirect_uri value supplied does not exactly match one of the previously registered post_logout_redirect_uris values.

See also https://www.drupal.org/project/drupal/issues/2640672 🐛 Make redirect.destination service update request Closed: duplicate .

Remaining tasks

Agree on resolution.

User interface changes

None

API changes

None

Data model changes

None

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024