Omejdn is an OAuth2/OpenID connect server for IoT devices which use their private keys to request OAuth2 access tokens in order to access protected resources and websites or apps which retrieve user attributes.
Omejdn offers an endpoint /logout accepting GET and POST requests, as well as a request parameter post_logout_redirect_uri. This bears some similarities to the end_session_endpoint defined in OIDC RP-Initiated Logout.
However, where RPIL has at least some security built in with regards to several attacks, including
Using the OP as an open redirector, and
Involuntarily logging out the user from arbitrary services,
Omejdn has none. In fact, Omejdn is simply deleting the user's login session before redirecting the user back to whatever URL was passed as a parameter.
Going with the terminology of the above draft, a user thinks of "logging out at a RP" as revoking any access rights of an RP via the OP. This is trickier than implementing RPIL, since RPIL only covers OpenID Sessions (to log out, a RP will send an id_token_hint) and a user will likely want to be able to revoke access of arbitrary OAuth capable services, likely via an Omejdn GUI. This in turn requires proper token revocation and optionally a method to notify OIDC RPs (such as OIDC Front/Backchannel Logout).
For the time being, the following should be implemented:
Omejdn offers an endpoint
/logout
accepting GET and POST requests, as well as a request parameterpost_logout_redirect_uri
. This bears some similarities to theend_session_endpoint
defined in OIDC RP-Initiated Logout. However, where RPIL has at least some security built in with regards to several attacks, includingOmejdn has none. In fact, Omejdn is simply deleting the user's login session before redirecting the user back to whatever URL was passed as a parameter.
Going with the terminology of the above draft, a user thinks of "logging out at a RP" as revoking any access rights of an RP via the OP. This is trickier than implementing RPIL, since RPIL only covers OpenID Sessions (to log out, a RP will send an id_token_hint) and a user will likely want to be able to revoke access of arbitrary OAuth capable services, likely via an Omejdn GUI. This in turn requires proper token revocation and optionally a method to notify OIDC RPs (such as OIDC Front/Backchannel Logout).
For the time being, the following should be implemented: