Missing param recd by OIDC spec in logout query

[mattcg]

The id_token_hint parameter is missing:

https://github.com/alephdata/aleph/blob/5412447816fbecb0d6c876a5914b2cc21f8ae175/aleph/views/base_api.py#L42

This parameter is recommended by the OIDC spec but is unfortunately required by Okta. Leaving it out causes an invalid_client error to be thrown by Okta. Others have experienced this: pomerium/pomerium/issues/1541.

[pudo]

Hm, this is a bit more complicated: to do this, we'd need to cache the id_token when we are logging in, probably into redis. We would also need to move the logout URL out of /api/2/metadata (it's static and cached), probably into the /api/2/sessions/logout response.

I guess one possible alternative would be to make OIDC logout configurable, so you can disable it for specific providers and just terminate the local session while leaving the provider session active...

[mattcg]

As soon as I get time I’ll look into a solution and will possibly make a PR. Second paragraph of your comment: I think it makes more sense for that logic to be handled by the authorization server, rather than building more complexity into Aleph.

On 01 Dec 2020, at 09:56, Friedrich Lindenberg notifications@github.com wrote:

 Hm, this is a bit more complicated: to do this, we'd need to cache the id_token when we are logging in, probably into redis. We would also need to move the logout URL out of /api/2/metadata (it's static and cached), probably into the /api/2/sessions/logout response.

I guess one possible alternative would be to make OIDC logout configurable, so you can disable it for specific providers and just terminate the local session while leaving the provider session active...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[pudo]

Its probably easiest if I take this on, it's just meddling with a bunch of obscure wiring.