search

pfzetto / axum-oidc

A OpenID Connect Client Libary for axum
https://crates.io/crates/axum-oidc
22 stars 7 forks source link

session isn't cleared on logout #10

Closed pfzetto closed 6 months ago

pfzetto commented 6 months ago

Currently the AuthenticatedSession isn't cleared on logout until it expires. Fixing this error is a bit more complicated because we don't know if the user got redirected to the logout url of the oidc issuer. I think that there are some options to fix this error:

  1. add a clear_session function to OidcLogout to give the end user control over this behavior. This requires the developer of the downstream application to know and use this function when the user gets redirected
  2. delete the ÌdTokenfrom the session when 'OidcLogoutis extracted from a request. If the user isn't logged out the refresh token can be used to refresh the id token. This will cause a noticeable latency increase if OidcLogout is extracted on a "main"-route (for example to get the logout url for an logout button in the header of the page. This could be prevented using a dedicated logout route) because the oidc issuer needs to reissue the id token.
  3. remove the url function from OidcLogout and implement a responder that has to be used to logout. We can then remove the session if into_response_parts is called on OidcLogout.

Currently I like option 3 the most but I'm happy for any opinion on this issue.

This issue was first reported in #9.