Add client name to session and redirect after logout only for active client in multiclient environment

Created on 11 April 2025, 19 days ago

Problem/Motivation

In environments where multiple OpenID Connect clients (each with end session endpoints defined) are enabled with the "Logout from identity provider" setting, users may be redirected to the incorrect identity provider after logging out. This occurs because:

Users can have multiple connected accounts in a multiclient setup.
The system queries all connected accounts based on the username, which doesn't specify the active account used for login.
The redirectLogout() function lacks information about which account was used for the login session.

If the last returned client name does not correspond to the account used for login, the user is redirected to the wrong identity provider, and the session is not properly terminated at the identity provider's end.

This issue is acknowledged in the redirectLogout() function with the following @todo note:

    // @todo The fact that the user has a connected account doesn't necessarily
    //   mean that it was used for the login. This info should probably be kept
    //   in the session.

Steps to reproduce

Configure more than one OpenID Connect client.
Enable "Logout from identity provider" and "Automatically connect existing users" settings.
Define an end session endpoint for each enabled client.
Log in using the first client and then log out.
Log in using the second client and then log out.
Log in using the first client and then log out.

Users may be redirected to the incorrect identity provider, and the session may not be terminated at the identity provider's end.

Proposed resolution

Store the client name in the session to track which client was used for login.
Ensure logout operations are performed only for the connected account used for login.

🐛 Bug report

Status

Active

Version

3.0

Component

Code

Created by

🇫🇮Finland mitrpaka

Live updates comments and jobs are added and updated live.

Merge Requests

!155Add client name to session and redirect after logout only for active client in multiclient environment
Open
🇮🇳India rakesh.regar
updated 14 days ago

Comments & Activities

Issue created by @mitrpaka
Comment 19 days ago →
🇫🇮Finland mitrpaka
Patch attached that tries to implement the proposed solution by adding the client name to the session and ensuring logout operations are performed only for the connected account used for login.
Comment 19 days ago →
🇫🇮Finland mitrpaka
Merge request !155Issue #3518675 :Add client name to session and redirect after logout. → (Open) created by rakesh.regar
Pipeline finished with Failed
19 days ago
Total: 149s
#470908
Pipeline finished with Success
18 days ago
Total: 232s
#470922
Pipeline finished with Success
14 days ago
Total: 258s
#474601
Comment 14 days ago →
🇫🇮Finland mitrpaka
Updated patch available - please test and share your feedback.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024