Feature #21137: When using OpenID authentication with SSO, redirect user to a logout URL after doing browser logout - Arvados

Feature #21137

https://openid.net/specs/openid-connect-rpinitiated-1_0.html 

 "An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint. This URL is normally obtained via the end_session_endpoint element of the OP's Discovery response or may be learned via other mechanisms." 

 https://openid.net/specs/openid-connect-backchannel-1_0.html 

 "This specification defines a logout mechanism that uses direct back-channel communication between the OP and RPs being logged out; this differs from front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent." 

 When the user visits the /logout endpoint and OpenID Connect authentication is in use: 

 * if the token looks like an OpenID connect token, try to invalidate it using backchannel logout  
 ??? endpoint 
 * return a redirect to @end_session_endpoint@ with the @post_logout_redirect_uri@ set to the original @redirect_to@ and @id_token_hint@ to the token

Back

Project

General

Profile

Arvados

Feature #21137