davidwessman
commented
5 months ago Sounds reasonable!
Could you add some test?
Closed kghandour closed 3 months ago
davidwessman
commented
5 months ago Sounds reasonable!
Could you add some test?
kghandour
commented
4 months ago After I did some research, it seems that this is not really the best idea. According to Microsoft for example: https://learn.microsoft.com/en-us/answers/questions/60633/azure-ad-openid-connect-post-logout-redirect-uri-w
If there is no session, no redirects happen, but if there is a session, AAD does redirect the user to the post_redirect_uri as mentioned in the request.
This means that this could be a breaking change and thus I would not recommend it anymore. Current best course of action in my opinion is to use the post_logout_redirect_uri to redirect to your service and destroy the session after a successful logout. Feel free to close the PR if you agree.
Currently there is a problem that occurs when having multiple tabs opened, and when logging out of one tab, the session does not get destroyed. This results in the other tabs using the old session which might be a security issue.