Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/backchannel logout #244

Closed
wants to merge 5 commits into from
Closed

Feature/backchannel logout #244

wants to merge 5 commits into from

Conversation

upachler
Copy link

All Submissions:

Changes proposed in this Pull Request:

Aims to implement OIDC Backchannel Logout and Keycloak legacy BCL feature.

Screnario:

  • User logs into Wordpress via OIDC's OP
  • User then moves to other site, where she/he logs out of the OP, terminating all user sessions
  • When user moves back to Wordpress, the user is expected to be logged out

This change implements the last point in the screnario; previously, the user remained logged in as long as the WP session itself didn't time out (which is quite long compared to an access_token lifetime in typical OIDC configurations). Not being logged out is particularly strange for users who, in an SSO context, log out of a running OP session and then log in with a different user. If WP does not recognize the logout, the WP session will keep running with the original user, which breaks the seamlessness promised in SSO contexts.

Closes #205 .

How to test the changes in this Pull Request:

  1. Connect against OIDC BCL compliant OP or Keycloak < 12.0.0 (tested in 4.8)
  • For OIDC BCL, set https://my-wordpress-site.com/wp-admin/admin-ajax.php?action=openid-connect-backchannel-logout as BCL URL in WP's client config
  • For Keycloak Legacy BCL, you need to enable it first on the settings page, then set https://my-wordpress-site.com/ as the Admin URL in WP's client config
  1. Login in WP using OIDC, change over to non WP-site. Logout from there, so that WP doesn't see the logout directly
  2. Change back to WP
  3. WP session should be logged out.

BCL logouts are logged via the logging feature.

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully run tests with your changes locally?
    -> Yes, in the Keycloak Legacy configuration, which is my main use case. I have no access to a BCL compliant OIDC provider

Changelog entry

Implement OpenID Connect Backchannel Logout
Implement Keycloak Backchannel Logout (k_logout, for Keycloak before v12.0.0)

@upachler
Copy link
Author

closing this PR as it was not developed against 'dev', but 'main'.
See new PR #246, which is developed against 'dev'

@upachler upachler closed this Oct 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daggerhart daggerhart Awaiting requested review from daggerhart daggerhart is a code owner

@timnolte timnolte Awaiting requested review from timnolte timnolte is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@upachler