Clarification on OAuth/OIDC logout endpoint



  • We have a head scratcher here that we'd love some clarification on regarding the OAuth/OIDC logout endpoint (/oauth2/logout).

    In the docs for the endpoint it says:

    Since 1.10.0 The logout behavior follows that of the OpenID Connect Front-Channel Logout specification. Additionally, the logoutUrl used for each application is determined as follows: The logoutUrl of the Application is used, if that isn’t set then the logoutUrl of the Tenant is used.

    Looking at that spec it says:

    OPs supporting HTTP-based logout need to keep track of the set of logged-in RPs so that they know what RPs to contact at their logout URIs to cause them to log out. Some OPs track this state using a "visited sites" cookie. OPs contact them in parallel using a dynamically constructed page with HTML <iframe src="frontchannel_logout_uri"> tags rendering each logged-in RP's logout URI.

    Which seems ideal for our configuration, if I'm understanding correctly. Basically it keeps track of which applications the user logged into (potentially via cookie) and hits their logout URIs on logout.

    However, the docs for the Logout behavior setting when creating an application says:

    All applications - This is the default behavior. Logout out of the FusionAuth SSO, call each registered Logout URLs for the entire tenant and then redirect to the Logout URL registered for this application.

    Which is different, and seems to be(?) the behavior we are seeing. Basically every application defined in the tenant is looped and their logout endpoint is hit, regardless if the user is even registered for the application -- which definitely isn't ideal for our situation: single tenant with many, many applications and a given user only has registered access to a few.

    We've been doing a bunch of dev against FA lately, so we cleared all cookies, etc thinking we may have built things up to a crazy state, but the results didn't change. Not sure if there is anything further to look at, but even knowing which behavior is expected would help a lot.

    Thanks!

    -James



  • LOL.. well.. minutes after posting this I decided to check out customizing the logout theme template and saw:

        [#-- use allLogoutURLs to call the logout URL of all applications in the tenant, or use registeredLogoutURLs to log out of just the applications the user is registered for --]
        [#list allLogoutURLs![] as logoutURL]
          <iframe src="${logoutURL}" style="width:0; height:0; border:0; border:none;"></iframe>
        [/#list]
    

    So it does appear we can limit things just to those registered, which we'll definitely try. But would still be curious if the OpenID Connect Front-Channel Logout spec is to be expected or an option in some way.

    Thanks! (again)



  • Hiya,

    If I'm reading the spec correctly as well as our docs, what we'd really need to do to be in compliance would be to provide a loggedInLogoutURLs variable. Something like:

        [#-- use allLogoutURLs to call the logout URL of all applications in the tenant, or use registeredLogoutURLs to log out of just the applications the user is registered for, or use loggedInLogoutURLs to log out of just the applications the user is currently signed into --]
        [#list allLogoutURLs![] as logoutURL]
          <iframe src="${logoutURL}" style="width:0; height:0; border:0; border:none;"></iframe>
        [/#list]
    

    Is my understanding correct?

    If so, the best thing to do would probably be to open a github issue: https://github.com/fusionauth/fusionauth-issues



  • Yea, that flexibility would be ideal IMO, although the registeredLogoutURLs should be workable for us at this point. FWIW that is actually the behavior I assumed before digging into the docs. I'll definitely add the issue to GitHub, as I think it's probably part of the path to getting OIDC Certification which appears to already have an issue.

    Thanks!


Log in to reply