Support endSession for Auth0 (not conform OIDC endpoint)

[jochenjonc]

When switching from v11 to v12 I noticed that after a logout I was no longer redirected to the logout url.

In the console debug log I found: "only local login cleaned up, no end_session_endpoint".

The cause is that the end_session_endpoint cannot be found in the .well-known/openid-configuration from Auth0.

I have two questions:

1. Why, if no end_session_endpoint there is no redirect after logout?
2. Is there a workaround?

angular-auth-oidc-client/projects/angular-auth-oidc-client/src/lib/logoffRevoke/logoff-revocation.service.ts

Lines 35 to 43 in 3de72d5

	const endSessionUrl = this.getEndSessionUrl(configId, customParams);
	this.resetAuthDataService.resetAuthorizationData(configId);
	if (!endSessionUrl) {
	this.loggerService.logDebug(configId, 'only local login cleaned up, no end_session_endpoint');
	return;
	}

angular-auth-oidc-client/projects/angular-auth-oidc-client/src/lib/utils/url/url.service.ts

Lines 97 to 101 in 3de72d5

	const endSessionEndpoint = authWellKnownEndPoints?.endSessionEndpoint;
	if (!endSessionEndpoint) {
	return null;
	}

[FabianGosebrink]

So you are running with auth0 I think. Can you post your config? Take care of erasing sensitive data before posting :)

[jochenjonc]

Here's my config:

    const openIdConfig: OpenIdConfiguration = {
      authority: 'https://****.eu.auth0.com',
      redirectUrl: 'http://localhost:4200',
      postLogoutRedirectUri: 'http://localhost:4200',
      clientId: '********************************',
      scope: 'openid profile offline_access email',
      responseType: 'code',
      silentRenew: true,
      useRefreshToken: true,
      customParamsRefreshTokenRequest: {
        scope: 'openid profile offline_access email'
      },
      logLevel: environment.production ? LogLevel.Error : LogLevel.Debug,
      postLoginRoute: '/',
      forbiddenRoute: '/forbidden',
      unauthorizedRoute: '/unauthorized',
      historyCleanupOff: true,
      triggerAuthorizationResultEvent: true
    };

Btw, at the moment I fixed it with to following code:

    this.oidcSecurityService.logoffAndRevokeTokens().subscribe((result) => {

      if (!this.oidcSecurityService.getConfiguration().authWellknownEndpoints?.endSessionEndpoint) {
        const logoutRedirect = this.oidcSecurityService.getConfiguration().postLogoutRedirectUri;

        if (logoutRedirect) {
          this.document.location.href = logoutRedirect;
        }
      }
    });

And I did some research and found the following in a Svelte library: https://github.com/dopry/svelte-oidc/blob/5401fed67175c6cdb512dca788cb2aba7bda8378/src/components/OidcContext.svelte#L83

[FabianGosebrink]

That comment says what I thought but did not hope for 😂. Hmm... alright, this is a bug then. We have to look into this.

[FabianGosebrink]

@jochenjonc if you want you can review the PR. What do you think? @damienbod what do you think?

[damienbod]

Hi @jochenjonc

If there is no end_session_endpoint the postLogoutRedirectUri is not used. This parameter is what the STS or the IDP, in your case Auth0 would redirect to after the end_session_endpoint has been requested. The IDP uses this to redirect back to the client once the sign-out is complete on the server. Since this is not supported, then it is not used, which is correct. You solution is good but of course you are still logged in on the server.

Greetings Damien

[damienbod]

Looks like Auth0 does not support an OIDC conform endsession

IdentityModel/oidc-client-js#1067

[damienbod]

added a fix for this in version 12.0.2, thanks for reporting