- Merge request !153Draft: Remove query destination when ending session on logout (Issue #3282560) → (Open) created by Unnamed author
As implemented in https://www.drupal.org/project/openid_connect/issues/3061438 → , there is a "Logout from identity provider" setting. It works well if you simply go to the logout path, however if a destination parameter is present it does not occur.
When the module is configured to log out of the provider, the provider logout should triggered regardless of where the user indicates they want to go next.
This is related to the removal of drupal_goto()
almost 10 years ago. If you look at the change record, there is a note right on it about the unexpected behavior. This module is getting around that problem during the authentication step by removing the destination parameter from the request (see OpenIDConnectClientBase->authorize()
). It seems to make sense to do the same during logout when a TrustedRedirectResponse
is being sent.
The unfortunate thing about this proposed resolution is that the destination will be lost. Potentially we could add the destination onto the logout redirect URL, but I am not sure if that is valid. My IdP states that it does not compare query parameters in the logout callback URLs, but it is not clear to me if that meets the OpenID Connect spec or not regarding wording around exact matches (does that include the query parameters?). If necessary to choose between logging out and going to the destination, it seems preferable to log the user out.
See https://www.drupal.org/node/2023537 → .
When redirecting to an external location, use TrustedRedirectResponse. (Note that if Drupal has a destination set, it will unexpectedly override all redirects).
See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#rfc.section.3.
The OP also MUST NOT perform post-logout redirection if the post_logout_redirect_uri value supplied does not exactly match one of the previously registered post_logout_redirect_uris values.
See also https://www.drupal.org/project/drupal/issues/2640672 🐛 Make redirect.destination service update request Closed: duplicate .
Agree on resolution.
None
None
None
Active
3.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.