allow passing 'id_token_hint' to the IdP in logout uri or end_session_endpoint

Question

allow passing 'id_token_hint' to the IdP in logout uri or end_session_endpoint

ShyLionTjmn opened this issue a year ago · comments

My IdP requires id_token as one of parameters to be able to redirect to specified URL, like this:

end_session_endpoint: https://idp.domain.com/oauth/logout?id_token_hint={ID_TOKEN}&post_logout_redirect_uri=https%3A%2F%2Fmyapp.domain.com%2F

is there a way to include it in uri?

Benjamin Foote · Answer 1 · Thu Feb 23 2023 03:03:30 GMT+0800 (China Standard Time)

@ShyLionTjmn welcome back!

Which IdP is this?

VP does not support passing the token to the IdP in a logout URL.

Aaron Parecki · Answer 2 · Thu Feb 23 2023 03:23:10 GMT+0800 (China Standard Time)

fwiw this is part of the OpenID Connect spec:

https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout

Benjamin Foote · Answer 3 · Thu Feb 23 2023 04:33:29 GMT+0800 (China Standard Time)

right now these URLs are configured in vouch.post_logout_redirect_uris
https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example#L194

If #41 OIDC Discovery from .well-known is implemented and VP is configured with the specified end_session_endpoint does the IdP include id_token_hint={ID_TOKEN}?

I don't see that mentioned here...
https://openid.net/specs/openid-connect-discovery-1_0.html

I'm thinking there may need to be a new configuration parameter...
vouch.post_logout_id_token_hint: true (default false)

MicroSoft Azure chooses not to include id_token_hint when OIDC discovery is used.
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/session-behavior.md

Seems like "Single Sign Out" is it's own rabbit hole. :)

Aaron Parecki · Answer 4 · Thu Feb 23 2023 04:35:46 GMT+0800 (China Standard Time)

Seems like "Single Sign Out" is it's own rabbit hole. :)

It absolutely is 😂

ShyLionTjmn · Answer 5 · Thu Feb 23 2023 05:17:13 GMT+0800 (China Standard Time)

IdP is Blitz: https://identityblitz.com/

https://blitz.mydomain.com/blitz/oauth/.well-known/openid-configuration has:
"end_session_endpoint": "https://blitz.mydomain.com/blitz/oauth/logout",

ShyLionTjmn · Answer 6 · Thu Feb 23 2023 05:22:08 GMT+0800 (China Standard Time)

I'm thinking there may need to be a new configuration parameter... vouch.post_logout_id_token_hint: true (default false)

that would be nice

Tálas János · Answer 7 · Wed Jul 05 2023 04:34:31 GMT+0800 (China Standard Time)

I'd be really glad if this extra parameter could be implemented.

Keycloak also requires the id_token_hint parameter to skip the logout confirmation.

Update: I just found #258 that is supposed to do exactly that. Any ideas why this isn't working?

Update 2: I just found #298 (also see #328) that mandates the explicit inclusion of the id/access token as headers to make them available. You need to add this to your vouch configuration to make it work:

vouch:
  # ...
  headers:
    accesstoken: X-Vouch-IdP-AccessToken
    idtoken: X-Vouch-IdP-IdToken

Tálas János · Answer 8 · Wed Jul 05 2023 17:10:24 GMT+0800 (China Standard Time)

@ShyLionTjmn is this fixing your issue?

ShyLionTjmn · Answer 9 · Wed Jul 05 2023 18:38:56 GMT+0800 (China Standard Time)

didn't try it