Skip to content

Always require confirmation of user logout in OIDC Logout#12048

Merged
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/consistent-openid-logout
Apr 3, 2025
Merged

Always require confirmation of user logout in OIDC Logout#12048
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/consistent-openid-logout

Conversation

@mitchellhenke
Copy link
Contributor

@mitchellhenke mitchellhenke commented Apr 2, 2025

🎫 Ticket

Link to the relevant ticket:
!159

🛠 Summary of changes

Following #6936 and #7017, we added support for the OpenID Logout client_id parameter as a step to deprecating the id_token_hint parameter. Part of the OpenID Connect RP-Initiated Logout 1.0 includes:

Logout requests without a valid id_token_hint value are a potential means of denial of service; therefore, OPs should obtain explicit confirmation from the End-User before acting upon them.

At the Logout Endpoint, the OP SHOULD ask the End-User whether to log out of the OP as well. Furthermore, the OP MUST ask the End-User this question if an id_token_hint was not provided or if the supplied ID Token does not belong to the current OP session with the RP and/or currently logged in End-User. If the End-User says "yes", then the OP MUST log out the End-User.

Currently, we require user confirmation for the former case when the request is not using id_token_hint, and requests using the deprecated id_token_hint do not. This behavior is both inconsistent and does not meet the SHOULD recommendation from the specification.

This PR changes the behavior so that users need to confirm they want to be logged out before they are logged out.

@mitchellhenke mitchellhenke requested a review from Sgtpluck April 2, 2025 19:35
Always require confirmation of user logout in OIDC Logout
b09ad0b 
changelog: Bug Fixes, OpenID Connect, Always require confirmation of user logout
@mitchellhenke mitchellhenke force-pushed the mitchellhenke/consistent-openid-logout branch from a8c909f to b09ad0b Compare April 3, 2025 15:22
Sgtpluck
Sgtpluck reviewed Apr 3, 2025
View reviewed changes
app/controllers/openid_connect/logout_controller.rb
@params = {
client_id: logout_params[:client_id],
post_logout_redirect_uri: logout_params[:post_logout_redirect_uri],
id_token_hint: logout_params[:id_token_hint],
Copy link
Contributor

@Sgtpluck Sgtpluck Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[question]is there anything to worry about including the id_token_hint in the logout params?

Copy link
Contributor Author

@mitchellhenke mitchellhenke Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. It should be ok in the params since they're being submitted as a POST request via a form.

Sgtpluck
Sgtpluck approved these changes Apr 3, 2025
View reviewed changes
Copy link
Contributor

@Sgtpluck Sgtpluck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code looks good, just a general question about the inclusion of the id_token_hint param

@mitchellhenke mitchellhenke merged commit 077e874 into main Apr 3, 2025
1 check passed
@mitchellhenke mitchellhenke deleted the mitchellhenke/consistent-openid-logout branch April 3, 2025 21:35
@eileen-nava eileen-nava mentioned this pull request Apr 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sgtpluck Sgtpluck Sgtpluck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mitchellhenke @Sgtpluck