Add client_id and id_token_hint to IdP logout #493
Merged
+56
−8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
julien-nc
previously requested changes
Aug 31, 2022
There was a problem hiding this comment.
Nice! Thanks for the PR. Nicely done.
I had trouble finding doc about why the client_id is needed but here it is: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes
Could you sign your commits and rebase your branch on this project's master?
|
Thanks for the review! I've implemented the suggestions, rebased onto master, signed the commit, and added some more info on the use of the parameters. Should be good to go :) |
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
|
Argh, must've copy pasted that incorrectly, fixed now. Also fixed my commit author not matching the public key. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Edited to add links to docs/code examples
This adds two parameters to the end_session_endpoint IdP URL which the
user gets redirected to when singleLogout is triggered.
These paramters are:
as per the relevant OpenID specification.
callback of this session's login flow (set in session variable
oidc.id_token). 'RECOMMENDED' by the relevant OpenID specification 1.Some providers (e.g. node-oidc-provider 2 and Keycloak 3) require this when using the code OAuth flow.
Because passing id_token_hint reveals the id_token to the user agent, a
app setting was also added to optionally turn this behaviour off (default is
turned on).
Builds upon PR #373 / issue #336
Fixes issue #449
Signed-off-by: Pieter Fiers pieter@pfiers.net