Open JammingBen opened 2 years ago
I'm having problems with the approach because the logout hook is basically fired all the time when using a client. E.g. when using Web, the hook gets called multiple times when authorizing the first time. Then, when navigating in Web, each action calls the logout again. I traced this down to some legacy code, unfortunately this is where my oC10/auth knowledge ends.
@DeepDiver1975 Maybe you have a clue on what's going on here or a different idea to approach this issue?
What about adding a logout route to the oauth app.
Not sure if I understand correctly, but such route already exists: https://github.com/owncloud/oauth2/blob/master/lib/Controller/PageController.php#L338. The problem still persists: when do we call/redirect to this route? It would need to be called from core, which is a dependency to the oauth2 app that we don't want I assume.
Logout needs to invalidate the access token .... .... Not too deep into the code base .... 🤷
Let me explain more into depth:
overview over openid logout mechanisms: https://curity.io/resources/learn/openid-connect-logout/
which to choose is a task on it's own ..... finally we don't want to reimplement a full openid idp in the oauth2 app .... there has ever since been the idea to fully go into the direction of openid and abandon oauth ........
Not sure if I understand correctly, but such route already exists: https://github.com/owncloud/oauth2/blob/master/lib/Controller/PageController.php#L338. The problem still persists: when do we call/redirect to this route? It would need to be called from core, which is a dependency to the oauth2 app that we don't want I assume.
How could one call this route with curl or Postman? Would it log the user out? This seems like an urgent need while the fancy config option and openid logout mechanisms are fleshed out, some us need a quick programmatic way otherwise Web is completely broken.
The idea is to have a setting per client that determines if all tokens for this client (and user) should be removed on user logout. Hence we implemented a new flag
invalidateOnLogout
that can be set per client. Then we hook onto thelogout
event and simply remove all the tokens for this user which are connected to a client that hasinvalidateOnLogout
set totrue
.Motivation/Context
Let's say you have Web running via oauth and log out of oC10. Currently, you will still be logged in in Web because the tokens are not being invalidated.
Fixes https://github.com/owncloud/web/issues/7018