Logging out of OpenID Connect provider

[flortsch]

Description

If you login to Gitea using an OpenID Connect provider (e.g., Keycloak) and logout again, you are logged out of Gitea, but you are still logged in at your OpenID provider. Clicking at the OpenID login button at the Gitea page will automatically log you back into the same account. It should be possible to also log out at the OpenID provider. Keycloak, as an example, provides a logout endpoint where you can logout from the OpenID provider and redirect back to the application, which could be used by Gitea when logging out (e.g., https://your-keycloak.com/auth/realms/example-realm/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fyour-gitea.com%2F).

Related issue in past: #12374

[zeripath]

I didn't realise that there were specs for this - but:

https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f

https://curity.io/resources/architect/openid-connect/openid-connect-logout/ https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html

may be helpful for implementation.

[Baitanik]

Is There any plan when this issue will be fixed ? Log out from gitea , actually does not log out from oidc provider ..

[kimdre]

It would be nice to have this feature implemented. 👍

[Adphi]

Perhaps the simplest way to implement this is to use the RP Initiated Logout spec

[qworkz11]

Hi, is there a workaround in order to achieve a logout at the OIDC provider until this feature is implemented?

[helmut72]

Also miss this feature. And adding name field in Keycloak (my full name) to Gitea full name.

[de-johannes]

@qworkz11 A workaround which could work:

Change the data-url in

https://github.com/go-gitea/gitea/blob/4fd9c56ed09b31e2f6164a5f534a31c6624d0478/templates/base/head_navbar.tmpl#L188

of your local gitea to

https://keycloak.example.com/realms/MYREALM/protocol/openid-connect/logout?post_logout_redirect_uri=https://myapp.example.com&client_id=myclient

EDIT - my fault: that does not work as the gitea cookies persist. perhaps it works with editing the logout handler https://github.com/go-gitea/gitea/blob/368743baf3d904f86b553a88718583906f571c87/routers/web/events/events.go#L93

with something like

    // Handle logout
    if event.Name == "logout" {
        if ctx.Session.ID() == event.Data {
            _, _ = (&eventsource.Event{
                Name: "logout",
                Data: "here",
            }).WriteTo(ctx.Resp)
            ctx.Resp.Flush()
            go unregister()
            auth.HandleSignOut(ctx)
            // Set post logout redirect single logout Keycloak-uri here
            keycloakLogoutURL := "https://keycloak.example.com/realms/MYREALM/protocol/openid-connect/logout?post_logout_redirect_uri=https://myapp.example.com&client_id=myclient"
            ctx.Redirect(keycloakLogoutURL)
            break loop
        }
        // Replace the event - we don't want to expose the session ID to the user
        event = &eventsource.Event{
            Name: "logout",
            Data: "elsewhere",
        }
    }

But i don't know how to edit this on a local machine.

[jlehtoranta]

I decided to enhance and polish my basic implementation, which I was using for private purposes. It actually took quite a bit of time, since the Gitea code wasn't as ready for this as I first thought. Also there are always quite many error cases and action paths to take care of when implementing SLO. I think the code should be on review level now, so any additional testing is appreciated. Please note that there's one database migration, so I don't recommend testing on production databases before the pull request gets merged.