- Issue created by @ergonlogic
- 🇳🇿New Zealand berenddeboer
I've created a module for this: simple_oauth_logout → . It cannot do a good job right now, but I'm waiting for a big PR in the issue queue here to pass before addressing that.
Our goal is to allow a user to logout on the Relying Party (RP), and then automatically log that user out of the OpenID Provider (OP) too, ideally redirecting back to the RP. For reference, see the OpenID Connect RP-Initiated Logout spec.
This spec references additional specs (eg. OpenID Connect Front-Channel Logout and OpenID Connect Back-Channel Logout), which allow the OP to also log the user out of all other RPs. However, we suggest that is out-of-scope for this issue, and should be followed-up in subsequent feature requests.
Current behaviour:
Desired behaviour:
The openid_connect module already supports end_session_endpoint config, and so can redirect to the OP after logout. We can point this to <OP_URL>/user/logout/confirm, and it will already provide the id_token_hint parameter in the URL. Likewise, it also supports redirect_logout config, which sets the post_logout_redirect_uri parameter on the end_session_endpoint URL.
So, a good starting point would probably be to just implement the basics of the spec in relation to how it defines the behaviour around those two parameters. This should result in the "Desired behaviour" outlined above.
TBD
TBD
N/A
Active
6.0
OpenID Connect
I've created a module for this: simple_oauth_logout → . It cannot do a good job right now, but I'm waiting for a big PR in the issue queue here to pass before addressing that.