Implement end_session_endpoint for RP-Initiated Logout

[mcginkel]

Expected Behavior
Implement the end_session endpoint to support rp initiated logout according to the spec in https://openid.net/specs/openid-connect-rpinitiated-1_0.html#rfc.section.2

Scope: implement MUST and enough SHOULD so the scenario described in context is supported

Current Behavior
Not yet supported.

Context
When I use the spring-authorization-server to facilitate aso via openid-connect, I am not aware of an alternative way to logout and return to the client app.
If I logout now in the client app I cannot add the OidcClientInitiatedLogoutSuccessHandler as described in
https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-advanced-oidc-logout

Expected work:

• Add '"end_session_endpoint"' to the OpenID Provider’s Discovery Metadata endpoint (/.well-known/openid-configuration)
• implement end_session_endpoint to initiate logout on the authorization server
• support Logout requests with id_token_hint (check validity)
• support Logout requests without a valid id_token_hint value: request confirmation screen
• support post_logout_redirect_uri
• include post_logout_redirect_uris at Client's Registration information
• optional: support state parameter

not yet in scope: (as it seems too much work for one issue)
"As part of the OP logging out the End-User, the OP uses the logout mechanism(s) registered by the RPs to notify any RPs logged in as that End-User that they are to likewise log out the End-User. RPs can use any of OpenID Connect Session Management 1.0 [OpenID.Session], OpenID Connect Front-Channel Logout 1.0 [OpenID.FrontChannel], and/or OpenID Connect Back-Channel Logout 1.0 [OpenID.BackChannel] to receive logout notifications from the OP, depending upon which of these mechanisms the OP and RPs mutually support."

[mcginkel]

And I would be interested in helping to implement this feature

[jgrandja]

Thanks for the detailed report @mcginkel !

We will need to implement this feature.

However, the focus at this time is the login-specific features before we build out the logout features, since the initial implementation of OIDC is quite minimal.

I'll be sure to reach out when we are ready to implement this.

If you see another login-specific feature you would like to work on then please let me know and we'll figure out the scheduling for it.

[phuongdpham]

Hi @jgrandja,
Will we have logout endpoint at this moment?

[jgrandja]

@phuongdpham This issue is still on hold. Please see previous comment for additional details.

[phuongdpham]

@jgrandja yeah, so how can we logout or disable current session for user logged in right now? Thanks,

[jgrandja]

@phuongdpham

how can we logout or disable current session for user logged in

The question you have does not seem directly related to the end_session_endpoint defined by OpenID Connect. As well, questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

Please see the Spring Security reference for Handling Logouts.

[phuongdpham]

@jgrandja

Thanks,

[vakho10]

@jgrandja Hi, will this feature be implemented in near future? This seems like a necessary feature doesn't it? :) I would love to have that functionality.

[jgrandja]

@vakho10 We're planning on building out OIDC specific features after we release 0.3.0. I don't have a timeline for this feature yet.

[137709772]

@vakho10 We're planning on building out OIDC specific features after we release 0.3.0. I don't have a timeline for this feature yet.

don't have a timeline for this feature yet，Now, How to log out of the client website and the oauth2 authorization server when using oauth2login

[sahariardev]

hi @jgrandja,
I want to work on this issue. Is it available?

[137709772]

now,I use twice logout ,one send to client ,other send to oauth server