Send id_token_hint with OIDC logout

[defnull]

OIDC logout requests have an id_token_hint parameter. This parameter is not required, but recommended by spec and some providers may not be able to properly terminate a user session if that parameter is missing. They then just delete the cookies, but not end the session. (see below) It would be nice if this parameter could be added. This should be the right place:

flask-multipass/flask_multipass/providers/authlib.py

Line 108 in a469d51

query = url_encode({'post_logout_redirect_uri': return_url})

[ThiefMaster]

Easier said than done - currently the ID token is not stored anywhere... :/

[defnull]

As far as I understand it, this parameter is required to log out from just a single service. If it's missing, the OpenID provider would ask the user whether to log out of the provider itself instead of the application they came from.

If this is not an easy fix, then this issue can perhaps be kept open as a feature request?

[ThiefMaster]

Sure, we can keep it open.

Regarding the other point, when you do a SSO logout you usually want to log out everywhere. For just logging our from Indico you wouldn't redirect to the OIDC logout endpoint at all. You can set 'logout_uri': None in the config to disable it (see the relevant code).

[defnull]

Depends on the application I guess. If an application offers a logout button, I usually expect to be logged out from that application, not from all applications. At least the logout page should give me both options.
For an application logout on a trusted computer, it may be enough to remove some cookies and just 'forget' the refresh token, but for a secure logout the refresh token should also be revoked, so it cannot be used to continue the session later. So, either the application has to keep track of logged-out sessions for as long as their refresh token may be valid, or the SSO provider should be asked to revoke the refresh token. This is exactly what a logout with id_token_hint does, as far as I understand it.

[wetzel-desy]

I just stumbled upon this today and found out that if the application is connected to a Keycloak instance as OP, it can either send the id_token_hint or the client_id with the post_logout_redirect_uri. The latter might be easier to use as the client_id is already in the multipass-config, right? I also tested the logout functionality with an indico instance connected to Keycloak and modifying the URL in the browser by adding &client_id=$CLIENT_ID (with the correct ID, course) let me log out regularly.
Relevant documentation excerpt:

After logout, the user will be automatically redirected to the specified post_logout_redirect_uri as long as it is provided. Note that you need to include either the client_id or id_token_hint parameter in case that post_logout_redirect_uri is included.

[rabser]

I encountered this problem also in recent Keycloak releases (reproduced on KC21.1.1 from quay).
I SOLVED changing the suggested file as follow:

            client_id = self.authlib_settings['client_id']
            query = url_encode({'post_logout_redirect_uri': return_url, 'client_id': client_id})

Now when I click logout, instead of an error, I got the Kecloak screen asking me if I want to logout and then redirect me to the post_logout_redirect_uri.

Would be fine if this change could be published.