end_session_endpont Needs Be added to .well-known/openid-configuration endpoint

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

https://gitea.com

MIT License

44.64k stars 5.45k forks source link

end_session_endpont Needs Be added to .well-known/openid-configuration endpoint #16488

Open vw98075 opened 3 years ago

vw98075 commented 3 years ago

Gitea version (or commit ref): 1.15.0-dev-588-g187468083

Description

Default implementation expects end_session_endpont to be exposed by the IDP .well-known/openid-configuration endpoint. The OOB supported Keycloak and okta do provide the endpoint details in the above metadata API response. Please follow the mainstream and add it to the endpoint. I don't see anything else on user log-off in the current endpoint. —

...

Screenshots

zeripath commented 3 years ago

Would it be possible to provide a link to the spec?

vw98075 commented 3 years ago

In the current Gitea OAuth implementation, is a way to log off a user session on Gitea when a user logs off on its OAuth client?

Some results of online search on end_session_endpont:

https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html https://ldapwiki.com/wiki/End_session_endpoint

KN4CK3R commented 3 years ago

Here is the (optional) spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html I found only one public OpenID provider (Microsoft) which implements this endpoint.

vw98075 commented 3 years ago

Two major OAuth2 services, Keycloak and Okta, have it in their .well-known/openid-configuration points.

zeripath commented 3 years ago

the end_session_endpoint is only required if we support openid connect session management which AFAICS we don't support

(I'm not saying that we shouldn't or can't but that we don't currently support it.)