vouch-proxy icon indicating copy to clipboard operation
vouch-proxy copied to clipboard
verified publisher icon vouch

allow passing 'id_token_hint' to the IdP in logout uri or end_session_endpoint

Open ShyLionTjmn opened this issue 2 years ago • 9 comments

My IdP requires id_token as one of parameters to be able to redirect to specified URL, like this:

end_session_endpoint: https://idp.domain.com/oauth/logout?id_token_hint={ID_TOKEN}&post_logout_redirect_uri=https%3A%2F%2Fmyapp.domain.com%2F

is there a way to include it in uri?

ShyLionTjmn avatar Feb 21 '23 10:02 ShyLionTjmn

@ShyLionTjmn welcome back!

Which IdP is this?

VP does not support passing the token to the IdP in a logout URL.

bnfinet avatar Feb 22 '23 19:02 bnfinet

fwiw this is part of the OpenID Connect spec:

https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout

aaronpk avatar Feb 22 '23 19:02 aaronpk

right now these URLs are configured in vouch.post_logout_redirect_uris https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example#L194

If #41 OIDC Discovery from .well-known is implemented and VP is configured with the specified end_session_endpoint does the IdP include id_token_hint={ID_TOKEN}?

I don't see that mentioned here... https://openid.net/specs/openid-connect-discovery-1_0.html

I'm thinking there may need to be a new configuration parameter... vouch.post_logout_id_token_hint: true (default false)

MicroSoft Azure chooses not to include id_token_hint when OIDC discovery is used.
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/session-behavior.md

Seems like "Single Sign Out" is it's own rabbit hole. :)

bnfinet avatar Feb 22 '23 20:02 bnfinet

Seems like "Single Sign Out" is it's own rabbit hole. :)

It absolutely is :joy:

aaronpk avatar Feb 22 '23 20:02 aaronpk

IdP is Blitz: https://identityblitz.com/

https://blitz.mydomain.com/blitz/oauth/.well-known/openid-configuration has: "end_session_endpoint": "https://blitz.mydomain.com/blitz/oauth/logout",

ShyLionTjmn avatar Feb 22 '23 21:02 ShyLionTjmn

I'm thinking there may need to be a new configuration parameter... vouch.post_logout_id_token_hint: true (default false)

that would be nice

ShyLionTjmn avatar Feb 22 '23 21:02 ShyLionTjmn

I'd be really glad if this extra parameter could be implemented.

Keycloak also requires the id_token_hint parameter to skip the logout confirmation.

Update: I just found #258 that is supposed to do exactly that. Any ideas why this isn't working?

Update 2: I just found #298 (also see #328) that mandates the explicit inclusion of the id/access token as headers to make them available. You need to add this to your vouch configuration to make it work:

vouch:
  # ...
  headers:
    accesstoken: X-Vouch-IdP-AccessToken
    idtoken: X-Vouch-IdP-IdToken

talasjanos avatar Jul 04 '23 20:07 talasjanos

@ShyLionTjmn is this fixing your issue?

talasjanos avatar Jul 05 '23 09:07 talasjanos

didn't try it

ShyLionTjmn avatar Jul 05 '23 10:07 ShyLionTjmn