Skip to content

Add support for RP-initiated OIDC logout #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 2, 2024
Merged

Add support for RP-initiated OIDC logout #96

merged 1 commit into from
Jul 2, 2024

Conversation

@route443
Copy link
Contributor

@route443 route443 commented Jun 7, 2024
edited
Loading

Implement support for RP-initiated logout in accordance with OpenID Connect RP-Initiated Logout 1.0. Introduce the oidc_end_session_endpoint variable to specify the end_session_endpoint URL.

If oidc_end_session_endpoint is not set or is empty, the default behavior of logging out only on the NGINX side is maintained. When set, the endpoint triggers the RP-initiated logout as specified in the OIDC specification.

This PR is based on the revised PR #87 initially submitted by user @llomgui. Thank you to @llomgui for the initial implementation and contribution.

Summary of Changes

  • Added oidc_end_session_endpoint variable to specify the OIDC end session endpoint URL.
  • Updated the logout function to:
    • Handle RP-initiated logout by redirecting to the specified end_session_endpoint.
    • Include logic to renew ID token if refresh token is available, but session_jwt is expired.
    • Fall back to traditional logout if both tokens are absent.
@route443 route443 force-pushed the rp-initiated-logout branch from dae4ed3 to ded18f2 Compare June 8, 2024 06:54
@route443
Add support for RP-initiated OIDC logout
323e6f9 
Implement support for RP-initiated logout in accordance with OpenID Connect RP-Initiated Logout 1.0. Introduce "oidc_end_session_endpoint" variable to specify the "end_session_endpoint" URL. If "oidc_end_session_endpoint" is not set or is empty, the default behavior of logging out only on the NGINX side is maintained. When set, the endpoint triggers the RP-initiated logout as specified in the specification.
@route443 route443 force-pushed the rp-initiated-logout branch from ded18f2 to 323e6f9 Compare June 14, 2024 17:24
mtbChef
mtbChef reviewed Jun 28, 2024
View reviewed changes
@route443 route443 merged commit 6ea7364 into nginxinc:main Jul 2, 2024
@llomgui
Copy link

llomgui commented Jul 3, 2024

Hey @route443,

Do you plan to create a PR to update the current files https://github.com/nginxinc/kubernetes-ingress/tree/main/internal/configs/oidc with your latest changes?
Or do you want me to update my PR nginx/kubernetes-ingress#4986 ?

Thank you with this merge.
@shaun-nx shaun-nx mentioned this pull request Jul 10, 2024
Closed
@route443 route443 mentioned this pull request Nov 3, 2024
Closed
@route443 route443 mentioned this pull request Aug 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@route443 @llomgui @mtbChef