- 
                Notifications
    You must be signed in to change notification settings 
- Fork 2k
Implement OIDC front channel logout NGINX directives #8340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@            Coverage Diff             @@
##             main    #8340      +/-   ##
==========================================
+ Coverage   53.27%   53.36%   +0.08%     
==========================================
  Files          91       91              
  Lines       22375    22387      +12     
==========================================
+ Hits        11921    11947      +26     
+ Misses       9941     9930      -11     
+ Partials      513      510       -3     ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
 | 
| Package Report
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx, 1.29.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-agent, 3.3.2~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx, 1.29.1-1~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-agent, 3.3.2~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus, 35-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-agent, 3.3.2~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus, 35-1~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-njs, 35+0.9.1-1~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-otel, 35+0.1.2-1~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-fips-check, 35+0.1-1~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-agent, 3.3.2~bookworm, arm64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus, 35-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect, 35+5.527.0-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-attack-signatures, 2025.10.16-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-threat-campaigns, 2025.10.19-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-agent, 2.43.0~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus, 35-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-module-plus, 35+5.527.0-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-plugin, 6.23.0-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-agent, 2.43.0~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus, 35-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-dos, 35+4.7.3-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus, 35-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect, 35+5.527.0-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-attack-signatures, 2025.10.16-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-threat-campaigns, 2025.10.19-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, app-protect-dos, 35+4.7.3-1~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3, nginx-agent, 2.43.0~bookworm, amd64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx, 1.29.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-agent, 3.3.2, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx, 1.29.1-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-agent, 3.3.2, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus, 35-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus-module-njs, 35.0.9.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus-module-otel, 35.0.1.2-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus-module-fips-check, 35.0.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-agent, 3.3.2, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus, 35-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus-module-njs, 35.0.9.1-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus-module-otel, 35.0.1.2-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-plus-module-fips-check, 35.0.1-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine, nginx-agent, 3.3.2, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus, 35-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-agent, 3.3.2, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus, 35-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-agent, 3.3.2, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus, 35-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-agent, 2.43.0, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-appprotect, 35.5.527.0-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, app-protect, 35.5.527.0-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, app-protect-attack-signatures, 2025.10.16-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, app-protect-threat-campaigns, 2025.10.19-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus, 35-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-agent, 2.43.0, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, nginx-plus-module-appprotect, 35.5.527.0-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, app-protect-module-plus, 35.5.527.0-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-alpine-fips, app-protect-plugin, 6.23.0-r1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx, 1.29.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-agent, 3.3.2-1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx, 1.29.1-1.el9.ngx, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-agent, 3.3.2-1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus, 35-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-agent, 3.3.2-1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus, 35-1.el9.ngx, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-agent, 3.3.2-1, aarch64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus, 35-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-agent, 2.43.0-1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect, 35+5.527.0-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-attack-signatures, 2025.10.16-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-threat-campaigns, 2025.10.19-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus, 35-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-agent, 2.43.0-1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-module-plus, 35+5.527.0-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-plugin, 6.23.0-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus, 35-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-agent, 2.43.0-1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-appprotect, 35+5.527.0-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, app-protect, 35+5.527.0-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, app-protect-attack-signatures, 2025.10.16-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, app-protect-threat-campaigns, 2025.10.19-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus, 35-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-agent, 2.43.0-1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, nginx-plus-module-appprotect, 35+5.527.0-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, app-protect-module-plus, 35+5.527.0-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi8, app-protect-plugin, 6.23.0-1.el8.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus, 35-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus, 35-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, nginx-agent, 2.43.0-1, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect, 35+5.527.0-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-attack-signatures, 2025.10.16-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-threat-campaigns, 2025.10.19-1.el9.ngx, x86_64 gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-4bd659fd2dd68742851ef7c053a683c3-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64 | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR implements OpenID Connect Front-Channel Logout functionality for NIC by adapting the NGINX reference implementation. It adds support for IdPs to initiate logout across multiple client applications sharing the same session.
- Updates the OIDC JavaScript implementation to the latest version with enhanced error handling and front-channel logout support
- Adds the /front_channel_logoutendpoint and session ID mapping infrastructure
- Updates Keycloak test configuration to version 26.4 with new authentication environment variables
Reviewed Changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description | 
|---|---|
| internal/configs/oidc/openid_connect.js | Updates OIDC JavaScript to latest version with front-channel logout handler and improved error handling | 
| internal/configs/oidc/oidc.conf | Adds front-channel logout endpoint configuration | 
| internal/configs/oidc/oidc_common.conf | Adds keyval zone for session ID mapping | 
| internal/configs/version2/nginx-plus.virtualserver.tmpl | Adds session ID keyval mapping for OIDC configurations | 
| tests/data/common/app/keycloak/app.yaml | Updates Keycloak to version 26.4 with new environment variables | 
| tests/suite/test_oidc.py | Removes unused keycloak_src variable | 
| internal/configs/version2/snapshots/templates_test.snap | Updates snapshot test for new keyval configuration | 
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
44acccb    to
    26e2c26      
    Compare
  
    bc2afde    to
    d070702      
    Compare
  
    d070702    to
    ee28fee      
    Compare
  
    Update python:3.14-bookworm Docker digest to 0cc5dcf Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
8cfb835    to
    ecf361d      
    Compare
  
    
Proposed changes
Closes #7781
Closes #8207
Adapts the oidc reference implementation of the front channel logout for NIC, and adds functionality to enable oidc debug log
PyTest is added for front channel log out. Important parts of that:
error-log-level: debugwhich also means it's testing oidc debug logpage.wait_for_selector, so that was replaced bypage.locator, see https://playwright.dev/python/docs/api/class-page#page-wait-for-selectorManual testing steps
Installation / deployment
Requirements:
Once those steps are, log into keycloak, create two confidential clients, which means the Client Authentication needs to be turned on:
Set the front channel logout to on, and turn the front channel session required on, and add the URL keycloak should use:
https://client-domain/front_channel_logout. The path/front_channel_logoutis hardcoded in the nginx settings in NIC.Set this up for both of the clients, and grab the client secret for both of them. Using the client secrets, create two new k8s client secrets with the base64'd values for them, and apply those to the k8s cluster.
Then adjust the oidc policies for the clients (change the client names and client secret references and make sure that the realm and namespace is correct, especially paying attention to where you deployed keycloak), deploy those.
In keycloak also set up a regular user that you will use to log into the applications via keycloak.
Login / logout flow
Open the two different apps on their own domains in the same browser session making sure it's a separate browser session from where you are logged into keycloak with admin. By that I mean:
Once you're logged into both applications with your user, go back to the keycloak admin in the other session context and look at the active sessions in keycloak:
Front channel logout terminates the session that you're logged in with.
Now normally you could go to either app's
/logoutURL, and it should log you out of every client thatBut if you actually do it in a modern browser, that's not going to happen. You briefly see that during the logout process keycloak's logout endpoint is getting called, then you're redirected back to the application that says "You're logged out" only to find that when you reload the page, you're logged in again.
This happens because:
/front_channel_logoutanywhere in the nginx-ingress pod, or the application podsIn order to veryify that it should be working, you need to open keycloak's realm logout url (rather than application logout url) and have it render the page, look in the source code, and find the iframes. If you deployed keycloak with host
keycloak.example.com, the realm logout url is:https://keycloak.example.com/realms/master/protocol/openid-connect/logout
On that page once it asks you if you want to log out and you click yes, you're taken to the logged out page.
What you'll notice in the network tab (if you had that open and set logs to be persisted) are two requests to the front channel logout urls for each clients that are blocked due to CSP:
And just to double check that the invisible iframes are there:
In order to see the list of clients, each client needs to have their name (not just their ID) set. Without the name the individual list items would look empty, because the only element would be the invisible iframes (
display: none;).At this point if you reload the applications you will note that they are logged out, but that's because the apps poll for session, and invalidates the local session cookie that way; they were not logged out because of the front channel logout.
You can grab the URL that the iframes wanted to visit and call that, it will succeed, but at that point it's no longer important because the applications have been logged out.
What could be done
CSP headers should be set to allow requests to the client. In keycloak's case, and the example deployment here the extra header should be:
I can't get this working with
http-snippetsfor the virtualserver for the idp.Gotchas
Content-Security-Policyheader that permits the browser to make the GET requests in the iframes. By default they won't do it. The OIDC Front Channel Logout spec knows about this in point 4.1: https://openid.net/specs/openid-connect-frontchannel-1_0.html#ThirdPartyContent. Their recommendation is to use back channel logout<iframe src="frontchannel_logout_uri">in a page with the registered logout URI as the source to trigger the logout actions by the RP.", it means that the iframes for the clients render on the OP (OpenID Provider) logout page, in this case keycloak. During the logout flow from any one application, one of the redirects is to the OP's (keycloak's) logout pageChecklist
Before creating a PR, run through this checklist and mark each as complete.