zorn-v / nextcloud-social-login

GNU Affero General Public License v3.0
206 stars 139 forks source link

Logout with id_token_hint and post_logout_redirect_uri? #391

Open da-wilky opened 1 year ago

da-wilky commented 1 year ago

Hello everyone!

I've got a problem, I am using keycloak as IDP and can login etc. with it for nextcloud. When logging out I need to confirm my logout on the site of keycloak. Also redirect_uri ist not working for me, not even with '*' on Valid post logout redirect uris in keycloak. Keycloak is writing about the old logout and new logout mechanism: https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/oidc/java/logout.adoc https://openid.net/specs/openid-connect-rpinitiated-1_0.html

That one is working with post_logout_redirect_uri and id_token_hint. Is there any possibility to use this method to logout with your nextcloud plugin? I can set the post_logout_redirect_uri GET param, but I can not set that id token ofc....

Hope somebody can help me, thank you for your time and effort! Have a good one :)

seyfeb commented 1 year ago

I would also like to see support for id_token_hint (if there is none).

However you can keep using the post_logout_redirect_uri and add a second GET parameter named client_id, which is the id of your oidc client.

So in the Social Login plugin you may set the Logout URL (optional) field to something like https://cloud.domain.com/realms/myrealm/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fcloud.domain.com&client_id=nextcloud-client

I tested this at least for Keycloak other providers may behave differently.