Open volkan64 opened 4 years ago
@funkyferdy Did you solve this? I could think of either:
What about backchannel-ing the logout request? For more information, see:
Missed this question :)
checking session validity with each page call, definitely inefficient Well this is one of the ways that as example wso2 has to "synchronise" Session. https://medium.com/@piraveenaparalogarajah/openid-connect-session-management-dc6a65040cc https://medium.com/@piraveenaparalogarajah/openid-connect-session-management-support-in-wso2-is-8935d80b6437
I think this heavly depends what "vendor" is behind the identity server and version/features avaiable in the solutions regarding this topic.
Related (other way) with #75
We solved this by adding additional columns to the fe_sessions table where we save the session_state from the OP after login. We then provide a API route for backchannel logout as suggest by @ChrisMuc that deletes the TYPO3 session with a matching session_state. For this, we had create a new session backend (i.e. extend the existing session backend). I don't know, if this should be part of the oidc extension though.
I think it makes sense to provide a generic logout-URL. Whether this can be used or not of course still depends on the IdP. Microsoft, for instance, supports logout URLs in the Client registration data.
If the user logs out from OP(OpenID Provider), he is still logged in TYPO3 (cookie). How to detect if user is still logged in OpenID Provider ?