search

pulsejet / nextcloud-oidc-login

Nextcloud login via a single OpenID Connect 1.0 provider
https://apps.nextcloud.com/apps/oidc_login
GNU Affero General Public License v3.0
220 stars 60 forks source link

Implement backchannel logout #188

Open PrivatePuffin opened 1 year ago

PrivatePuffin commented 1 year ago

A recent addition to the jumpjett php openidc library added back channel logout. This is a huge win, as it would allow single logout when hitting the logout button on nextcloud when implemented.

two things required:

azmeuk commented 1 year ago

This is a huge win, as it would allow single logout when hitting the logout button on nextcloud when implemented.

Isn't it the other way around?

The doc from OIDC-PHP

Back-channel authentication assumes you can end a session on the server side on behalf of the user (without relying on their browser). The request is a POST from the OP direct to your RP. In this way, the use of this library can ensure your RP performs 'single sign out' for the user even if they didn't have your RP open in a browser or other device, but still had an active session there.

Here the RP (Relying Party) being nextcloud and the OP (Openid Provider) being Keycloak or Auth0 etc.

I am not very familiar with how nextcloud manages sessions, but I suppose this could be tackled someways. Are you interested in providing a PR?

look if another option needs to be added to config.yml

What config.yml file are you refering to?

PrivatePuffin commented 1 year ago

This is a huge win, as it would allow single logout when hitting the logout button on nextcloud when implemented.

Isn't it the other way around?

The doc from OIDC-PHP

Back-channel authentication assumes you can end a session on the server side on behalf of the user (without relying on their browser). The request is a POST from the OP direct to your RP. In this way, the use of this library can ensure your RP performs 'single sign out' for the user even if they didn't have your RP open in a browser or other device, but still had an active session there.

Here the RP (Relying Party) being nextcloud and the OP (Openid Provider) being Keycloak or Auth0 etc.

I am not very familiar with how nextcloud manages sessions, but I suppose this could be tackled someways. Are you interested in providing a PR?

look if another option needs to be added to config.yml

What config.yml file are you refering to?

Correct, it would logout nextcloud when other services log-out.

though,currently, SLO when hitting logout on nextcloud is also not working correctly…

PrivatePuffin commented 1 year ago

Im already a maintainer on multiple projects and stretched as-is. I will, most likely, not send in a PR. I do not have the time to familiarise myself with yet another codebase.

azmeuk commented 1 year ago

though,currently, SLO when hitting logout on nextcloud is also not working correctly…

This looks like another subject. You can open another ticket and describe the behavior you see?

I will, most likely, not send in a PR. I do not have the time to familiarise myself with yet another codebase.

Fair enough. This probably won't be implemented until someone sends a patch though.