Open Tomme opened 7 months ago
DEX Idp also doesn't implement it: https://github.com/dexidp/dex/issues/1697
In SSO(single sign on) system, after a user click the Log Out button on an application, there are different implementations:
Which one to use should be determined by the organization. Admin will then enforce it for all applications.
IMO, Trino should allow admin to choose what it means when a user click the Log Out button.
I propose to make end_session_endpoint
optional with docs updates to explain the behavior.
@Praveen2112 What do you think?
Maybe @dain or @electrum can chime in here
https://github.com/trinodb/trino/blob/50221eba3681cad19f2eea5ef3add8558e8e3e63/core/trino-main/src/main/java/io/trino/server/security/oauth2/OidcDiscovery.java#L118
If you set
http-server.authentication.oauth2.oidc.discovery=true
and your Authorization Server does not return aend_session_endpoint
value you will get the error:Invalid response from OpenID Metadata endpoint. Missing required "end_session_endpoint" property
While I am unsure if the OpenID Connect RP-Initiated Logout 1.0 specification is required for a minimum compliant implementation of OpenID Connect, quite a lot of OAuth providers e.g. Google, do not implement it / provide a
end_session_endpoint
value: https://accounts.google.com/.well-known/openid-configuration