Logout via OIDC not working/not implemented?

[kosssi]

When I logout from my vaultwarden web ui, I prefer logout also on my OIDC (Authelia). By example Nextcloud implements this in its application https://github.com/pulsejet/nextcloud-oidc-login with oidc_login_logout_url variable.

Otherwise from my point of view it is a security vulnerability. Many open source tools do not implement this and clearly it is complicated to explain to non-advanced users.

The same issue on :

• Gitea https://github.com/go-gitea/gitea/issues/14270 with more information
• Outline https://github.com/outline/outline/issues/3954

Really thank you for the time you spend on this issue. Hoping that my issue doesn't delay the arrival in a release any further ;)

[Timshel]

Hey, It's not implemented. Just checked again and looking at the client code there is a signedOutCallbackPath so something might be possible.

[Timshel]

Hey had a look again and I don't think it's implemented :

• The signedOutCallbackPath is present but never used from what I can find.
• Logout logic should be there and I don't see anything

[Timshel]

Hey @spatical, sorry to ping you directly, but I believe you have access to a Bitwarden instance with SSO configured. Can you maybe confirm that OIDC Logout (SLO ?) is not supported or if I need to search again ? :)

[spatical]

So if it did support SLO, the expectation would be that when I log out of vaultwarden it would also log me out of my SSO provider?

When I log out on vault.bitwarden.com and my SSO is attached to Google, my browser is still logged in to Google even though bitwarden is now logged out.

My opinion is that the logout as is now in vaultwarden is what I would expect.

[Timshel]

Yes my understanding is that it should invalidate you session. But without additional configuration it might not log you out of Google. After logout if you try to login again do you need to enter your login/password in the SSO or are you directly redirected and just need to unlock the vault ?

[KornKalle]

I would also love to see the logout flow to be implemented, e.g. for other services i can configure a logoutUrl, for authentik it is something like https://login.company.org/application/o/vaultwarden/end-session/ when redirected there users get asked to only invalidate the service session or the whole session from idp

[albundy83]

Hello,

it will be nice to have the logout feature enabled for Keycloak, here the configuration from bitwarden: https://bitwarden.com/help/configure-sso-oidc/

[Timshel]

I can find some code on the server which mention some redirection and SLO

But can't find anything similar in the web client logout.

[albundy83]

Not sure to understand clearly the code you show me. But you are right, maybe I misunderstood the documentation.