Log out not possible

[amiiya]

Hi there again!

I'm currently working on the logout. I have my /webui where i embedded some JSON-Data from my secured /backend. If I'm not logged in there is nothing to see. I login via the redirect of /backend. If I go back to my /webui I can see everything perfectly. There's a logout button (/backend/logout) too. If I click it, my /webui is restricted like it should

BUT if I go directly to /backend directly, the session is still active and after accessing /backend/logout again, it doesn't seem to log out. If I go back to /webui it is suddenly not restricted again and i can see my data again even though i logged out before and the data disappeared from my view. This happened after accessing /backend.

I logged in to http://localhost:5000/auth/realms/internal/account/sessions to "log out from all sessions". I was kicked out of the Realm-Login but my /backend is still remaining. I tried to force reload too but i doesn't work. I also tried to set redirect_after_logout_with_id_token_hint = false but that didn't make a difference.

How can i kill this session? Except deleting the cookies..

lua_package_path '/opt/openresty/lualib/?.lua;;';
resolver 8.8.8.8;
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;

server {
 listen       5000;
 server_name  127.0.0.1;
 root         /opt/openresty/nginx/html;
 index        index.html index.htm;

 location / {
 }

 location /webui {
 }

 location /backend {
     access_by_lua '
       local opts = {
             discovery = "http://127.0.0.1:5000/auth/realms/internal/.well-known/openid-configuration",
             redirect_uri_path = "/backend/redirect_uri",
             client_id = "backend",
             client_secret = "fa58d169-df80-42a6-8871-dcbab179f916",
             logout_path = "/backend/logout",
             redirect_after_logout_uri = "/webui",
             redirect_after_logout_with_id_token_hint = false,
       }


       local res, err = require("resty.openidc").authenticate(opts)
       if err then
         ngx.status = 403
         ngx.say(err)
         ngx.exit(ngx.HTTP_FORBIDDEN)
       end
    ';
    expires           0;
    add_header        Cache-Control private;
    proxy_pass        http://localhost:5050/;
 }

 error_page   500 502 503 504  /50x.html;
 location = /50x.html {
     root   /opt/openresty/nginx/html;
 }

 include include/5000_*.conf;

[amiiya]

After changing the resolver to the resolver in /etc/resolv.conf, the logout from /webui stopped working too..

resolver 10.0.2.3;
...
 location /backend {
     access_by_lua '
       local opts = {
             discovery = "http://localhost:5000/auth/realms/internal/.well-known/openid-configuration",
...

[bodewig]

I'm afraid redirect_after_logout_uri does not do what you think it does. This is the URI lua-resty-openidc will invoke after destroying its session and usually is the front-chanel logout endoint of your OpenID Connect Provider (OP). You've overridden this to redirect to your webui.

So what happens when you logout is that /backend destroys its session but your OP has no idea you have logged out (because it is no longer informed). When you invoke /backend again, lua-resty-openidc redirects to your OP which thinks you are still logged in, redirects you back and a new session with /backend is established.

When you remove all sessions on your OP, lua-resty-openidc will not know that and you remain logged in until the lua-resty-openidc session expires.

[bodewig]

I think you expect redirect_after_logout_uri to do what #168 is proposing to add. Add an URI that is invoked after the OP has been informed you have logged out.

[amiiya]

@bodewig Oh okay. I think I understand what are you saying. But what should I do now instead?

[bodewig]

Until there is a new release of lua-resty-openidc you'd have to use the Lua file from master - #168 is the only change compared to 1.6.0. Once you've done that you'd use

       local opts = {
             ...
             post_logout_redirect_uri = "https://YOUR_SERVER_NAME/webui",
       }

and leave redirect_after_logout_uri alone. YOUR_SERVER_NAME may be ngx.var.server_name unless you are behind a proxy and need to take things like X-Forwarded-Host into account.

I haven't closed this issue as there is no good workaround in any released version of lua-resty-openidc. One thing you can do with the released versions is to look up the correct redirect_after_logout_uri from your OP's metadata document (look for end_session_endpoint in there, for Keycloak usually something like https://SERVER/openid-connect/logout) and explicitly set redirect_after_logout_uri to this URI with ?post_logout_redirect_uri=https%3A%2F%2FYOUR_SERVER_NAME%2Fwebui appended. This is not what I'd call a "good workaround", though :-)

[bodewig]

with 1.6.1 out now, you should be able to achieve what you need by using post_logout_redirect_uri

[amiiya]

Works perfectly. Thanks a lot!! :)

[tudorbarascu]

@bodewig Thank you for your work in this very nice project.

@amiiya Hi, could you please post your working configuration with keycloak? I've lost about 3 days trying to learn the ins and outs. Single sign in is working but single sign out.. another story.

If I understand correctly you have backend channel logout (single sign out) working with keycloak, e.g. for at least two realm clients/apps if you logout from one you're doing it for the other.
Thanks a lot!