Sso logout uses different endpoint

[cache-sk]

Stratos Version

4.4.0 release

Frontend Deployment type

• Cloud Foundry Application (cf push)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)

Expected behaviour

Sso logout should probably use same endpoint as sso login.

Actual behaviour

When SSO is activated, login uses /sso_login which in method initSSOlogin in file authuaa.go redirects to p.Config.ConsoleConfig.AuthorizationEndpoint

Logout uses /sso_logout which in method ssoLogoutOfUAA also in file authuaa.go redirects to p.Config.ConsoleConfig.UAAEndpoint.

I think, this should be redirected to same endpoint.

Can i ask, why are there two endpoints, which looks like it should be same? I have noticed this because in our test cf enviroment somebody configured authorization_endpoint to https://login.something and token_endpoint to https://uaa.something, which both points to the same Uaa, but due different domains, user is never logged out from login domain (browser flow cookies).

Also, I didn't find anywhere in docs, that there must be logout in SSO_OPTIONS enviroment atribute, to activate sso logout, and if SSO_ALLOWLIST is used, it must contain logout too, because only logout and not full url is used as state in callback after logout - this is probably bug too.