Open vw98075 opened 3 years ago
Would it be possible to provide a link to the spec?
In the current Gitea OAuth implementation, is a way to log off a user session on Gitea when a user logs off on its OAuth client?
Some results of online search on end_session_endpont:
https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html https://ldapwiki.com/wiki/End_session_endpoint
Here is the (optional) spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html I found only one public OpenID provider (Microsoft) which implements this endpoint.
Two major OAuth2 services, Keycloak and Okta, have it in their .well-known/openid-configuration points.
the end_session_endpoint is only required if we support openid connect session management which AFAICS we don't support
(I'm not saying that we shouldn't or can't but that we don't currently support it.)
Description
Default implementation expects end_session_endpont to be exposed by the IDP .well-known/openid-configuration endpoint. The OOB supported Keycloak and okta do provide the endpoint details in the above metadata API response. Please follow the mainstream and add it to the endpoint. I don't see anything else on user log-off in the current endpoint. —
...
Screenshots