[Feature Request]: Adding logoff POST call

[danielebonfatti]

Hi all,
since the OpenID specs https://openid.net/specs/openid-connect-rpinitiated-1_0.html say that

OpenID Providers MUST support the use of the HTTP GET and POST methods defined in RFC 7231 [RFC7231] at the Logout Endpoint

and some OpenID Providers expose also the POST endpoint, would be possible to add the possibility to call logoff with POST method, in a configurable way?
At the moment the call is always a GET (logoff-revocation.service.ts):

// Logs out on the server and the local client.
// If the server state has changed, check session, then only a local logout.
logoff(config: OpenIdConfiguration, allConfigs: OpenIdConfiguration[], authOptions?: AuthOptions): void {
  const { urlHandler, customParams } = authOptions || {};

  this.loggerService.logDebug(config, 'logoff, remove auth ');

  const endSessionUrl = this.getEndSessionUrl(config, customParams);

  this.resetAuthDataService.resetAuthorizationData(config, allConfigs);

  if (!endSessionUrl) {
    this.loggerService.logDebug(config, 'only local login cleaned up, no end_session_endpoint');

    return;
  }

  if (this.checkSessionService.serverStateChanged(config)) {
    this.loggerService.logDebug(config, 'only local login cleaned up, server session has changed');
  } else if (urlHandler) {
    urlHandler(endSessionUrl);
  } else {
    this.redirectService.redirectTo(endSessionUrl);
  }
}

Our security office told us not to use the GET call for "security reasons". Basically it is a prudential position due to the fact that my company belongs to a bigger group. They claim that passing any kind of information in clear is somehow a potential threat to the security, even if the data passed is not critical.

Thank you in advance

Best regards

[damienbod]

This makes sense. We will added support for HTTPs POST logout

Per default => POST
Per config => use GET

?

[danielebonfatti]

Sounds good, thank you.
Do you have any plan (even rough) about the realease of this feature?

[FabianGosebrink]

We have not even started implementing it :), But it does make sense. We will provide appropriate methods. I think I can start on the weekend at the latest. Thanks!

[danielebonfatti]

Thanks @FabianGosebrink

[fritzwf]

The documents say that you can subscribe on logoff(), but it doesn't seem to be there anymore. Isn't the logoff() operation asynchronous since it interacts with the OIDC server?

[FabianGosebrink]

Where do the docs tell that you can subscribe to a logoff? Could not find it. Thanks. Yes it is asynchronous, but as you are getting redirected, we are doing this internally. Would you like to have got the observable passed out, so that you can subscribe to it?

[FabianGosebrink]

This makes sense. We will added support for HTTPs POST logout

Per default => POST
Per config => use GET

?

This would change the default behavior, as the default is GET now.

[damienbod]

Lets leave this default => GET

set a new config, can use a POST

good?