OIDC Logout Route for Okta Not Supported

[k----n]

The logout route for Okta OIDC requires the logout token.

[LEDfan]

Hi @k----n

I can indeed see from the documentation that providing the ID token is required for Okta. I saw your PR, first of all thanks for your contribution! The only problem I see is that this contribution is quite specific to Okta. As we want to support many authentication providers, I would prefer a more generic solution over a provider-specific solution. Therefore I wonder whether we should enable SpeL support on the logout property. Together with another upcoming change to our SpEL functionality, this would allow you to provide the following configuration:

proxy:
  authentication: openid
    logout-url: https://okta.com/logout?id_token_hint=#{oidcUser.idToken.tokenValue}&post_logout_redirect_uri=my_redirect_uro

The ID token is then automatically filled in. When this change is implemented, we don't have to change ShinyProxy again, when another provider requires some other parameters (or other name for the id token).

What do you think?

[k----n]

Perfect, if SpeL is enabled that could also work!

[LEDfan]

ShinyProxy 2.6.0 (ContainerProxy 0.8.10) now support SpEL in the logout property.

Thank you for the suggestion!