search

Fraunhofer-AISEC / omejdn-server

Omejdn is an OAuth2/OpenID connect server for IoT devices which use their private keys to request OAuth2 access tokens in order to access protected resources and websites or apps which retrieve user attributes.
Apache License 2.0
13 stars 25 forks source link

Rethink Logouts #58

Open bellebaum opened 2 years ago

bellebaum commented 2 years ago

Omejdn offers an endpoint /logout accepting GET and POST requests, as well as a request parameter post_logout_redirect_uri. This bears some similarities to the end_session_endpoint defined in OIDC RP-Initiated Logout. However, where RPIL has at least some security built in with regards to several attacks, including

Omejdn has none. In fact, Omejdn is simply deleting the user's login session before redirecting the user back to whatever URL was passed as a parameter.

Going with the terminology of the above draft, a user thinks of "logging out at a RP" as revoking any access rights of an RP via the OP. This is trickier than implementing RPIL, since RPIL only covers OpenID Sessions (to log out, a RP will send an id_token_hint) and a user will likely want to be able to revoke access of arbitrary OAuth capable services, likely via an Omejdn GUI. This in turn requires proper token revocation and optionally a method to notify OIDC RPs (such as OIDC Front/Backchannel Logout).

For the time being, the following should be implemented:

bellebaum commented 2 years ago

The immediate changes have been implemented in #57