-
-
Notifications
You must be signed in to change notification settings - Fork 319
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow overriding OIDC logout endpoint (for IdP with non-standard logout endpoint) #782
Comments
I would say this is something reasonable to add. @dsagal do you agree? Would you be keen to add this feature? I feel like it is not hard to implement. |
Yes, I think so. I saw a similar issue earlier at IdentityModel/oidc-client-js#1067. |
My above comment was not clear, I wanted to know whether you, @jyio, would like to implement? I would be glad to help if so. |
I'd be happy to, and actually got it working just by modifying app/server/lib/OIDCConfig.ts (not hard to implement, as you hinted). I'd like to run a couple of things by you.
Thank you :) |
Thanks @jyio! ❤️
IMHO
I don't understand this question (especially the
I agree with your proposal
There is currently no unit test for this module. The more I think of this, the more I feel like it lacks some.
Exactly ✔️ ! |
Thanks for your input! PR is forthcoming. Documentation would come after. Aha, I wasn't sure about the this._skipEndSessionEndpoint = section.flag('endSessionEndpoint').readBool({
envVar: 'GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT',
defaultValue: false,
})!; I see that |
Huh, I wrote this, my bad 😶! Here: grist-core/app/server/lib/OIDCConfig.ts Lines 97 to 100 in a3161f6
I'd suggest to change Once this fix done, just call |
Now I'm adding to the help file, but did not touch the Auth0 example because I'm unsure about something and don't have an Auth0 instance to check for myself -- Does Auth0 conform with RP-Initiated Logout or not? Their documentation says yes, but I could not reproduce their example curl -X GET https://acme.eu.auth0.com/.well-known/openid-configuration
{
"issuer": "https://acme.eu.auth0.com/",
"authorization_endpoint": "https://acme.eu.auth0.com/authorize",
...
"end_session_endpoint": "https://acme.eu.auth0.com/oidc/logout"
} If Auth0 did actually conform with RP-Initiated Logout, then there should be no need to change the example. If not, then I'd expect the example config to elicit a complaint from Grist about |
I don't either, but the documentation is clear that this is how it should work. Too bad that their own example isn't working, but reading the note "Once you have contacted Auth0 Support to enable endpoint discovery..." it's probably the case that it needs to be enabled, at least on existing Auth0 accounts. In short, it seems to me OK to leave the example as is. For new Auth0 accounts it should work fine; for those without the endpoint enabled, people can either contact Auth0 support to enable it, or use the new env var, and both ways can be found by Googling. Thanks for looking into it! |
That's indeed what I observed. AFAICT, we have 3 possibilities to logout with Auth0:
|
Thank you for implementing this feature and for the documentation @jyio! |
Thank you for adding OIDC support! It works very well.
Now, in this episode, I'm using Grist with Authelia as OIDC IdP. Authelia does not currently support RP-initiated logout, so Grist complains The Identity provider does not propose end_session_endpoint. If that is expected, please set GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true. Of course, setting
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true
makes the error go away, but logging out of Grist does not log out of the IdP. Although Authelia does not fully support RP-initiated logout, it does have a logout endpoint that RPs could redirect to.Wouldn't it be great if there were a way to specify a non-standard logout endpoint, similar to
GRIST_SAML_IDP_LOGOUT
orGRIST_FORWARD_AUTH_LOGOUT_PATH
? I get that this is the IdP's shortcoming, so you'd be justified in declaring this issue out of your scope. But this could be an opportunity to improve compatibility, since RP-initiated logout is not part of the core OIDC specification. It might be a good idea to investigate other IdPs with non-standard logout endpoints, to determine a general approach that would work with most.That said... let me share a workaround for Authelia 😉
Simply configure your reverse proxy to redirect
/o/*/signed-out
tohttps://authelia.example.com/logout
orhttps://authelia.example.com/logout?rd=https://grist.example.com
. Here's my Caddy configuration:That's not perfect, either, since Authelia might not actually redirect back, but this would have to do for now.
The text was updated successfully, but these errors were encountered: