omniauth / omniauth_openid_connect

MIT License
170 stars 187 forks source link

Destroy session when logging out #178

Closed kghandour closed 4 months ago

kghandour commented 6 months ago

Currently there is a problem that occurs when having multiple tabs opened, and when logging out of one tab, the session does not get destroyed. This results in the other tabs using the old session which might be a security issue.

davidwessman commented 6 months ago

Sounds reasonable!

Could you add some test?

kghandour commented 6 months ago

After I did some research, it seems that this is not really the best idea. According to Microsoft for example: https://learn.microsoft.com/en-us/answers/questions/60633/azure-ad-openid-connect-post-logout-redirect-uri-w

If there is no session, no redirects happen, but if there is a session, AAD does redirect the user to the post_redirect_uri as mentioned in the request.

This means that this could be a breaking change and thus I would not recommend it anymore. Current best course of action in my opinion is to use the post_logout_redirect_uri to redirect to your service and destroy the session after a successful logout. Feel free to close the PR if you agree.