Signing out of a single app does not sign out

[electrofloat]

Describe the bug It seems that visiting the app.domain.tld/outpost.goauthentik.io/sign_out as described in the docs, does not sign the user out of that single app. (or I'm missing something) Although a page appears stating:

but the 1st button goes back to the app page (which is currently empty, since blank://blank was used in App launch URL to hide it. 2nd button logs the user out of authentik completely (which is not what I want, I only want to log the user out from the current app) 3rd button would like to go the the blank://blank url, which obviously does not exist.

Then just going to the url app.domain.tld again, the user is already logged in.

To Reproduce Steps to reproduce the behavior:

1. Create an app in Applications->Applications
2. Create a Forward auth (single application) provider in Applications->Providers
3. Use the generated nginx config (because nginx is the rev proxy in this case) don't forget to update the generated config here:

   location /outpost.goauthentik.io {
       proxy_pass              http://auth.domain.com/outpost.goauthentik.io;

   because it generates the domain authentik is accessed on, but with this, nginx can have many kinds of issues, so it is needed to be replaced with it's internal ip:port (it probably could be left alone but then authentik's reverse proxy configuration needs some adjustments)

4. Visit app.domain.com to login
5. Visit app.domain.com/outpost.goauthentik.io/sign_out to logout
6. Visit app.domain.com again
7. You are already logged in without needing to enter user/pass

Expected behavior The user is logged out of the current single app, and next time it goes back to that url, authentik asks for user/pass again.

Version and Deployment (please complete the following information):

• authentik version: 2023.4.1
• Deployment: docker-compose

Additional context Add any other context about the problem here.

[electrofloat]

What I noticed that after "signing out" and going back to the same site, the request url first becomes: https://app.domain.tld/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=2322abdabs134235 and in the request headers the browser sends the same cookie it got in the first place. (which is ok, if the cookie got invalidated with the "sign_out")The cookie starts with: authentik_proxy_

But then in the response header a new Set-Cookie arrives which also starts with authentik_proxy_ and Location header which redirects back to https://app.domain.tld.

I think that Set-Cookie header should not arrive, and instead a redirection should take place again for authentication.

[electrofloat]

It also seems that the single-app forward auth does not work at all with the provided nginx config. I've created 2 sample apps, with 2 forward auth single app providers, with two different external urls, and logging in on one of them, logs me in on the other too with the same user.

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[theyo-tester]

Hi all! I can reproduce this issue as well. Why should this not be fixed?! I am using version 2023.10.7, no difference in behavior

The only config difference from your case, @electrofloat, is that I defined an App launch URL (or no url at all, as this should be automatically retrieved based on the documentation). But this is not relevant here, it behaves the same as you described it in the initial post! So technically right now it is only possible to log out from all applications, am I correct? Maybe this topic is also related to these issues?: https://github.com/goauthentik/authentik/issues/4999 https://github.com/goauthentik/authentik/issues/2023 https://github.com/goauthentik/authentik/issues/3471 << I have added further information about this issue here as I saw that question to be still open