Implement end_session_endpoint for RP-Initiated Logout

[mcginkel]

Expected Behavior
Implement the end_session endpoint to support rp initiated logout according to the spec in https://openid.net/specs/openid-connect-rpinitiated-1_0.html#rfc.section.2

Scope: implement MUST and enough SHOULD so the scenario described in context is supported

Current Behavior
Not yet supported.

Context
When I use the spring-authorization-server to facilitate aso via openid-connect, I am not aware of an alternative way to logout and return to the client app.
If I logout now in the client app I cannot add the OidcClientInitiatedLogoutSuccessHandler as described in
https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-advanced-oidc-logout

Expected work:

• Add '"end_session_endpoint"' to the OpenID Provider’s Discovery Metadata endpoint (/.well-known/openid-configuration)
• implement end_session_endpoint to initiate logout on the authorization server
• support Logout requests with id_token_hint (check validity)
• support Logout requests without a valid id_token_hint value: request confirmation screen
• support post_logout_redirect_uri
• include post_logout_redirect_uris at Client's Registration information
• optional: support state parameter

not yet in scope: (as it seems too much work for one issue)
"As part of the OP logging out the End-User, the OP uses the logout mechanism(s) registered by the RPs to notify any RPs logged in as that End-User that they are to likewise log out the End-User. RPs can use any of OpenID Connect Session Management 1.0 [OpenID.Session], OpenID Connect Front-Channel Logout 1.0 [OpenID.FrontChannel], and/or OpenID Connect Back-Channel Logout 1.0 [OpenID.BackChannel] to receive logout notifications from the OP, depending upon which of these mechanisms the OP and RPs mutually support."

[mcginkel]

And I would be interested in helping to implement this feature

[jgrandja]

Thanks for the detailed report @mcginkel !

We will need to implement this feature.

However, the focus at this time is the login-specific features before we build out the logout features, since the initial implementation of OIDC is quite minimal.

I'll be sure to reach out when we are ready to implement this.

If you see another login-specific feature you would like to work on then please let me know and we'll figure out the scheduling for it.

[phuongdpham]

Hi @jgrandja,
Will we have logout endpoint at this moment?

[jgrandja]

@phuongdpham This issue is still on hold. Please see previous comment for additional details.

[phuongdpham]

@jgrandja yeah, so how can we logout or disable current session for user logged in right now? Thanks,

[jgrandja]

@phuongdpham

how can we logout or disable current session for user logged in

The question you have does not seem directly related to the end_session_endpoint defined by OpenID Connect. As well, questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

Please see the Spring Security reference for Handling Logouts.

[phuongdpham]

@jgrandja

Thanks,

[vakho10]

@jgrandja Hi, will this feature be implemented in near future? This seems like a necessary feature doesn't it? :) I would love to have that functionality.

[jgrandja]

@vakho10 We're planning on building out OIDC specific features after we release 0.3.0. I don't have a timeline for this feature yet.

[137709772]

@vakho10 We're planning on building out OIDC specific features after we release 0.3.0. I don't have a timeline for this feature yet.

don't have a timeline for this feature yet，Now, How to log out of the client website and the oauth2 authorization server when using oauth2login

[sahariardev]

hi @jgrandja,
I want to work on this issue. Is it available?

[137709772]

now,I use twice logout ,one send to client ,other send to oauth server

[jgrandja]

@sahariardev This feature is still on hold. We have a few higher priority items that need to be completed first.

[monstrfolk]

Any updates on this feature?

[jgrandja]

@monstrfolk No update as of now. After we release 1.0.0, we'll figure out what features will go into 1.1.0.

[mrFlick72]

hi guys

I have in my personal application VAuthenticator a my implementation of front channel single logout.

https://github.com/VAuthenticator/vauthenticator/blob/master/src/main/kotlin/com/vauthenticator/server/oidc/logout/OidcEndOfSession.kt

I do not know, but it is possible that I made some mistake or misunderstanding reading the RFC.
feedback is welcomed I will be happy to contribute completing the missing point and/or fixing the issue

[Scarange]

Exciting to see it be moved from Planning to Prioritized.

[jgrandja]

@mcginkel We're going to start working on this feature. Are you still interested and available to work on this feature? No worries if you're not available as I can take it on. I wanted to reach out either way.

[maradanasai]

This feature very much needed for us. Kindly release it ASAP

[brankoiliccc]

Huge release. Thanks

[imaxkhan]

hi when do we have this feature on maven ?

[jgrandja]

@imaxkhan The 1.1.0 release is scheduled May 16. See release dates.

[imaxkhan]

@imaxkhan The 1.1.0 release is scheduled May 16. See release dates.

tnx thats awsome

[imaxkhan]

hi
i just built authorization server 1.1.0-RC from source code and added it to federated sample as dependency.
i have zuul api gateway which is registered in authorization server and my authorization server is federated with azure B2C.
i check discovery endpoint now i have token revoke and end session api.
i have two problem:
1-token is not delete when i initiate logout from gateway
2-is there any way that i logout the user from azure b2c too? or i have to write custom code if true how should i implement such a federated logout mechanism.
and one more thing this new release on may 16 only works with following dependency

org.springframework.security
spring-security-oauth2-core
6.1.0-RC1