Logging out does not log out from OIDC provider

Question

Logging out does not log out from OIDC provider

Mangatome opened this issue a year ago · comments

Issue

Impacted version: 4.38.4

Deployment mode: Docker container behind Nginx, Keycloak as OIDC provider.

Problem description:
I'm generally very happy with the way GitBucket handles OpenID Connect sign-in. I followed the documentation to set up integration with Keycloak and everything works fine.

However, once an OIDC user has signed in, logging out of GitBucket does not seem to log out the user out of single-sign on. So by clicking "sign in with OpenID Connect" again, the user is automatically logged in GitBucket again.

To clarify, the steps are:

Log in GitBucket using OIDC
The OIDC provider asks for credentials. Enter them.
User is now logged in GitBucket. Log out user out of GitBucket.
Log in GitBucket again using OIDC
User is now logged in GitBucket without being asked for credentials.

I'm not sure if this is common practice in the SSO/OIDC world, but I expected the user to be asked for credentials the second time too. Is this behaviour on purpose?

Naoki Takezoe · Answer 1 · Sun Dec 25 2022 13:52:28 GMT+0800 (China Standard Time)

Hm, GitBucket's sign-out action might have to redirect to the logout endpoint if the user has been signed-in with OpenID connect?
https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Naoki Takezoe · Answer 2 · Sun Dec 25 2022 14:36:23 GMT+0800 (China Standard Time)

Created a pull request #3219 to fix this issue, but this hasn't been tested yet so I'm not confident whether or not this fix is valid.

Brice Clocher · Answer 3 · Sun Dec 25 2022 18:46:36 GMT+0800 (China Standard Time)

Awesome, I will test and report back asap.

Naoki Takezoe · Answer 4 · Sun Dec 25 2022 23:51:40 GMT+0800 (China Standard Time)

I tested this with Keycloak and it seems to work as expected.