allow passing 'id_token_hint' to the IdP in logout uri or end_session_endpoint
ShyLionTjmn opened this issue · comments
My IdP requires id_token as one of parameters to be able to redirect to specified URL, like this:
end_session_endpoint: https://idp.domain.com/oauth/logout?id_token_hint={ID_TOKEN}&post_logout_redirect_uri=https%3A%2F%2Fmyapp.domain.com%2F
is there a way to include it in uri?
@ShyLionTjmn welcome back!
Which IdP is this?
VP does not support passing the token to the IdP in a logout URL.
fwiw this is part of the OpenID Connect spec:
https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
right now these URLs are configured in vouch.post_logout_redirect_uris
https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example#L194
If #41 OIDC Discovery from .well-known
is implemented and VP is configured with the specified end_session_endpoint
does the IdP include id_token_hint={ID_TOKEN}
?
I don't see that mentioned here...
https://openid.net/specs/openid-connect-discovery-1_0.html
I'm thinking there may need to be a new configuration parameter...
vouch.post_logout_id_token_hint: true
(default false
)
MicroSoft Azure chooses not to include id_token_hint
when OIDC discovery is used.
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/session-behavior.md
Seems like "Single Sign Out" is it's own rabbit hole. :)
Seems like "Single Sign Out" is it's own rabbit hole. :)
It absolutely is 😂
IdP is Blitz: https://identityblitz.com/
https://blitz.mydomain.com/blitz/oauth/.well-known/openid-configuration has:
"end_session_endpoint": "https://blitz.mydomain.com/blitz/oauth/logout",
I'm thinking there may need to be a new configuration parameter...
vouch.post_logout_id_token_hint: true
(defaultfalse
)
that would be nice
I'd be really glad if this extra parameter could be implemented.
Keycloak also requires the id_token_hint
parameter to skip the logout confirmation.
Update: I just found #258 that is supposed to do exactly that. Any ideas why this isn't working?
Update 2: I just found #298 (also see #328) that mandates the explicit inclusion of the id/access token as headers to make them available. You need to add this to your vouch configuration to make it work:
vouch:
# ...
headers:
accesstoken: X-Vouch-IdP-AccessToken
idtoken: X-Vouch-IdP-IdToken
@ShyLionTjmn is this fixing your issue?
didn't try it