Add _csrf_confirm_form_route option for to the user/logout route

Created on 9 April 2025, about 1 month ago

Problem/Motivation

This is a followup issue to https://www.drupal.org/project/openid_connect/issues/3508791 🐛 Add CSRF protection for /user/logout Active .

In that issue, we added CSRF protection to the logout link provided by OpenID Connect. The next step is to add a confirmation form to the route to follow the Core best practices (see: https://www.drupal.org/node/3152693 → ).

Steps to reproduce

1. Login with an OpenID provider.
2. Browse to `user/logout`
3. Currently receive a 403 access denied (because of the missing CSRF token).

Proposed resolution

Add the `_csrf_confirm_form_route` token to the logout route and provide the confirmation form to allow the logout action without the csrf token in the route.

Remaining tasks

[ ] Add the route option
[ ] Add the confirmation form
[ ] Add testing.

✨ Feature request

Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States pfrilling Minster, OH

Live updates comments and jobs are added and updated live.

Merge Requests

!159Add _csrf_confirm_form_route option for to the user/logout route
Open
🇺🇸United States pfrilling
updated 21 days ago

Comments & Activities

Issue created by @pfrilling
Merge request !159Resolve #3518252 "Add csrfconfirmformroute option" → (Open) created by pfrilling
Comment 21 days ago →
🇺🇸United States pfrilling Minster, OH
I was able to get this working. It took a pretty big refactor of the logout redirect. I ended up moving that logic to a separate service so that it could be reused across the new confirmation form as well as the logout controller. If anyone has some time to manually test this, that would be appreciated.
Comment 21 days ago →
🇺🇸United States pfrilling Minster, OH
Comment 21 days ago →
🇺🇸United States ben.hamelin Adirondack Mountains, NY
@pfrilling code review looks good.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024