Single Sign-on issue: loading previous user Session

[fayaz-net]

Hi There, I have below SSO scenario for which Auth Service is not behaving as expected. Probably I am missing some configuration or anything else.

In the same browser

1. UserA logs into Relying party Application "App1" using OIDC authentication
2. UserA clicks on link in App1 to redirect to another app "App2" uses same OIDC authentication and AuthService is configured
3. App2 loaded for User A without prompting for Credentials
4. UserA logs-out from App1
5. UserB logs-in to App1 (Please note in the same browser session)
6. UserB clicks on link in App1 to redirect to App2.
7. App2 is loded for UserA instead of UserB.

How do we notify AuthService to remove the previous user session in the above scenario. Please let me know if you need more details. Thanks.

[sergicastro]

Hi @fayaz-net!

The Authservice needs to react on the logout request in order to cleanup sessions. Did you configure logout in your oidc filter?

In addition, if your OIDC provides a logout endpoint you can configure the endpoint in the LogoutConfig so that when a logout is performed in your app it will be performed in the OIDC provider too. If you are using configuration_uri to configure the OIDC endpoints and the OIDC provides an end_session_endpoint you still need to provide at least logout.path in order to the tell the Authservice when a request must start the logout flow.

I hope this helps, if it doesn't feel free to share your configs and logs.