Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logging out of OpenID Connect provider #14270

Open
flortsch opened this issue Jan 6, 2021 · 8 comments · May be fixed by #30072
Open

Logging out of OpenID Connect provider #14270

flortsch opened this issue Jan 6, 2021 · 8 comments · May be fixed by #30072
Labels
type/enhancement An improvement of existing functionality type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@flortsch
Copy link

flortsch commented Jan 6, 2021
edited by wxiaoguang
Loading

Description

If you login to Gitea using an OpenID Connect provider (e.g., Keycloak) and logout again, you are logged out of Gitea, but you are still logged in at your OpenID provider. Clicking at the OpenID login button at the Gitea page will automatically log you back into the same account. It should be possible to also log out at the OpenID provider. Keycloak, as an example, provides a logout endpoint where you can logout from the OpenID provider and redirect back to the application, which could be used by Gitea when logging out (e.g., https://your-keycloak.com/auth/realms/example-realm/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fyour-gitea.com%2F).

Related issue in past: #12374
@flortsch flortsch changed the title Logging out of OpenID provider Logging out of OpenID Connect provider Jan 6, 2021
@zeripath
Copy link
Contributor

zeripath commented Jan 7, 2021
edited
Loading

I didn't realise that there were specs for this - but:

https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f

https://curity.io/resources/architect/openid-connect/openid-connect-logout/
https://openid.net/specs/openid-connect-frontchannel-1_0.html
https://openid.net/specs/openid-connect-backchannel-1_0.html

may be helpful for implementation.

@techknowlogick techknowlogick added type/enhancement An improvement of existing functionality type/proposal The new feature has not been accepted yet but needs to be discussed first. labels Jan 10, 2021
This was referenced Dec 15, 2021
Closed
Closed
@wxiaoguang wxiaoguang mentioned this issue Apr 14, 2022
Closed
7 tasks
@Baitanik

This comment was marked as duplicate.

Sign in to view
@lukaslangrock lukaslangrock mentioned this issue May 18, 2023
Open
3 tasks
@agent-ck agent-ck mentioned this issue Jun 8, 2023
Open
@kimdre

This comment was marked as duplicate.

Sign in to view
@Adphi
Copy link

Adphi commented Nov 20, 2023

Perhaps the simplest way to implement this is to use the RP Initiated Logout spec

@Adphi Adphi mentioned this issue Nov 21, 2023
Open
6 tasks
@qworkz11
Copy link

qworkz11 commented Jan 5, 2024

Hi,
is there a workaround in order to achieve a logout at the OIDC provider until this feature is implemented?

@kosssi kosssi mentioned this issue Jan 31, 2024
Open
@helmut72
Copy link

helmut72 commented Feb 9, 2024

Also miss this feature. And adding name field in Keycloak (my full name) to Gitea full name.

@de-johannes
Copy link

de-johannes commented Mar 5, 2024
edited
Loading

@qworkz11 A workaround which could work:

Change the data-url in

gitea/templates/base/head_navbar.tmpl

Line 188 in 4fd9c56

<a class="item link-action" href data-url="{{AppSubUrl}}/user/logout">

of your local gitea to

https://keycloak.example.com/realms/MYREALM/protocol/openid-connect/logout?post_logout_redirect_uri=https://myapp.example.com&client_id=myclient

EDIT - my fault: that does not work as the gitea cookies persist. perhaps it works with editing the logout handler

gitea/routers/web/events/events.go

Line 93 in 368743b

// Handle logout

with something like

	// Handle logout
	if event.Name == "logout" {
		if ctx.Session.ID() == event.Data {
			_, _ = (&eventsource.Event{
				Name: "logout",
				Data: "here",
			}).WriteTo(ctx.Resp)
			ctx.Resp.Flush()
			go unregister()
			auth.HandleSignOut(ctx)
			// Set post logout redirect single logout Keycloak-uri here
			keycloakLogoutURL := "https://keycloak.example.com/realms/MYREALM/protocol/openid-connect/logout?post_logout_redirect_uri=https://myapp.example.com&client_id=myclient"
			ctx.Redirect(keycloakLogoutURL)
			break loop
		}
		// Replace the event - we don't want to expose the session ID to the user
		event = &eventsource.Event{
			Name: "logout",
			Data: "elsewhere",
		}
	}

But i don't know how to edit this on a local machine.

@jlehtoranta jlehtoranta linked a pull request Mar 25, 2024 that will close this issue
Open
@jlehtoranta
Copy link

I decided to enhance and polish my basic implementation, which I was using for private purposes. It actually took quite a bit of time, since the Gitea code wasn't as ready for this as I first thought. Also there are always quite many error cases and action paths to take care of when implementing SLO. I think the code should be on review level now, so any additional testing is appreciated. Please note that there's one database migration, so I don't recommend testing on production databases before the pull request gets merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/enhancement An improvement of existing functionality type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support OIDC RP-initiated logout jlehtoranta/gitea
10 participants
@techknowlogick @helmut72 @jlehtoranta @zeripath @flortsch @Adphi @kimdre @Baitanik @qworkz11 @de-johannes