Does the /oauth2/logout endpoint log the user out of FusionAuth?

yb98

I am currently trying to trigger a global logout using the /oauth2/logout endpoint.

However, it seems that when I execute the following url: https://.../oauth2/logout?client_id=27c57f2e-1b0f-4596-b742-e7e8d7d80fa3, the user's fusionauth.sso cookie is removed and they are signed out of all Oauth 2.0 applications except for Fusionauth (which I believe relies on the fusionauth.session cookie). If however, I replace the client_id with that of FusionAuth, then I do get logged out of all applications, FusionAuth included. Only problem with the second approach is that I can no longer use any post_logout_redirect_url arguments, as the FusionAuth application's list of authorized redirect urls cannot be edited. I did come up with a partial solution by configuring my network to remove the fusionauth.sesson cookie, but that just removes the session from the browser, not the session itself.

Is this behaviour intentional? Thanks!

dan

@yb98

Hmmm. It certainly seems like a bug or at least something worth documenting.

What version of FusionAuth are you running?

What is the setting for Logout Behavior for your application?

Is the user who is logging out "registered" for all the applications, including FusionAuth?

dan

I filed a bug: https://github.com/FusionAuth/fusionauth-issues/issues/1699

Please feel free to add any more color or info.

yb98

@dan Hi Dan, thanks for the reply.
To answer your questions:

I am using FusionAuth version 1.28.1
Logout Behaviour for every configured application is set to "All Applications"
The user who is logging out is registered to all applications, including FusionAuth.

Could this also be due to the fact that the "logout url" for FusionAuth's oauth configuration is set to "/admin" instead of "/admin/logout"?

Thanks.

dan

@yb98 Can you comment on the bug I opened with more details about why you want to log folks out of FusionAuth?

https://github.com/FusionAuth/fusionauth-issues/issues/1699

yb98

@dan Thanks, I just commented.

dan

@yb98 Awesome, thanks.

After some internal discussion, we're documenting this as a known limitation of FusionAuth, here: https://fusionauth.io/docs/v1/tech/reference/limitations#oauth-logout-behavior

Sounds like you have some workarounds. If you feel strongly this is the incorrect behavior, please feel free to file an issue and reference this post or the GH issue (it always means more coming from a user). Can't promise we'll change it, but we do welcome your feedback.

yb98

@dan Thanks for the reply Dan, I'll go ahead and discuss this with my team before we go any further.

Just to double check, could the FusionAuth team revise this document's flow chart of the logout request if it's no longer correct? https://fusionauth.io/docs/v1/tech/guides/single-sign-on, or perhaps specify that the Logout request is specific to the FusionAuth app, not Pied Piper? Thanks.