Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Once you login log in to the application using an external provider - , you are logged in two systems - in CoreOne and in External Providerauthenticated in both CoreOne Suite and the external provider.

When you logout - you will be log out, you are only logged out from of CoreOne Suite. The question araises if you should be logged out of External Provider as well. This is something that customer has to decide decision of whether to also log out from the external provider is up to you as there are valid points arguments both for logout and against doing so.

Setup

Info

Logout from external provider is implemented only for OIDC providers

On the DEV test environment, logout from external provider is configured for both SwissId and KeyCloak. You should be able to just run and test it. But below we will go though the configuration and see what is where (smile)

This is external provider configuration for KeyCloak To enable the logout from external logon providers enable the useiframelogoutwithidtokenhint setting in the external logon provider configuration (servicecorelogin_external_logon_provider table):)

You can see useiframelogoutwithidtokenhint is set to true (line 7). This has to be set for the logout to work.

Code Block
{
   "clientid": "cos",
   "clientsecret": "0lLM43yeXPKtBzyH7s3p5mKzWGS1dLVT",
   "authority": "httphttps://localhost:8080/realms/master/idp.externalprovider.com",
   "useuserinfoendpoint": true,
   "requirehttpsmetadata": false,
   "useiframelogoutwithidtokenhint":true
 }

You can see useiframelogoutwithidtokenhint is set to true. This has to be set for the logout to work.

Standard OIDC does not require to send id_token_hintwhen logout but it is required by both SwissId and KeyCloak. When Identity Server does logout - it also send is recommended but not required by OpenID Connect RP-Initiated Logout 1.0. In order to logout from external logon providers such as KeyCloak or SwissId id_token_hint

...

is required!

Note

URLs to be redirected to after logout need to be configured as Trusted Sites (trusted_address setting) within your web application (the web application, that starts the logout process), otherwise Content Security Policy (CSP) will block the request.

How it works

Login

During authentication to external provider the id_token will be saved to CoreOne Suite cache. The reference to the token will ba be saved in cookie external_id_token_ref_{auth_scheme}(for multiple browser scenario).

Logout

Based on the cookie, the id_token is foundretrieved from the cache.

On the logout page the iFrame is rendered with logout request to external provider. It should contain id_token_hint.

Cleanup

During logout we remove id_token that was used as it is not needed anymore. There will be situations when these tokens won’t be removed as no logout was invoked (like when browser simply closed). That means there will be obsolete id_tokens hanging in our cache.

...