oneonestar
commented
5 months ago DEX Idp also doesn't implement it: https://github.com/dexidp/dex/issues/1697
In SSO(single sign on) system, after a user click the Log Out button on an application, there are different implementations:
- Invalidate session for this application only.
- Invalidate session for this application and logout from all systems using SSO.
- Others (see: https://security.stackexchange.com/questions/116039/sso-what-should-happen-when-the-user-clicks-log-out )
Which one to use should be determined by the organization. Admin will then enforce it for all applications.
IMO, Trino should allow admin to choose what it means when a user click the Log Out button.
I propose to make end_session_endpoint optional with docs updates to explain the behavior.
@Praveen2112 What do you think?
mosabua
https://github.com/trinodb/trino/blob/50221eba3681cad19f2eea5ef3add8558e8e3e63/core/trino-main/src/main/java/io/trino/server/security/oauth2/OidcDiscovery.java#L118
If you set
http-server.authentication.oauth2.oidc.discovery=trueand your Authorization Server does not return aend_session_endpointvalue you will get the error:Invalid response from OpenID Metadata endpoint. Missing required "end_session_endpoint" propertyWhile I am unsure if the OpenID Connect RP-Initiated Logout 1.0 specification is required for a minimum compliant implementation of OpenID Connect, quite a lot of OAuth providers e.g. Google, do not implement it / provide a
end_session_endpointvalue: https://accounts.google.com/.well-known/openid-configuration