feat: allow rewrite to be controlled by logout #324
Comments
|
It turns that for some OIDC IdPs, In my server, I've built something that's pretty hacky: On a per-IdP basis if the IdP is configured as "globalLogout: true", then it tries EndSession as an API call. If that fails, then it sets a variable that was passed down through Context. A higher-level middleware reads that variable ( That works for Keycloak. In the next few weeks, I'll learn what works for a number of the other IdPs out there. |
|
Closing as this can be solved by the new API proposed in #326 |
github-project-automation
bot
moved this from 🧐 Investigating
to ✅ Done
in Product Management
|
@muhlemmer Your suggestion is that the |
Is your feature request related to a problem? Please describe.
My auth server is a proxy: it is an OIDC server that proxies through to OIDC or SAML (as a client).
For
RevokeTokenandTerminateSessionto log you out from the upstream IdP when the upstream IdP is SAML, they need to be able to change the redirect.Describe the solution you'd like
Add an additional input parameter to both
RevokeTokenandTerminateSession:validatedRedirectURIwhich is the post-logout redirect URI that has already been validated.Add an additional output parameter: the redirect URI to use.
Most implementations would simply return the input parameter. For implementations where the OIDC OP is a SAML SP (proxy), the redirect URI can be rewritten to be a redirect to the SAML IdP with the original redirect embedded as SAML
RelayState.Describe alternatives you've considered
No library change:
I can build this by wrapping the calls: record what the OIDC library does in a
httptest.ResponseRecorderand then use that as a basis for a creating the actual response.Backwards compatible change:
Add new versions of
RevokeTokenandTerminateSessionwith new names that are optional implementations. If they're present, use them instead of the regular versions.The text was updated successfully, but these errors were encountered: