Details
-
New Feature
-
Resolution: Fixed
-
Major
-
1.30
-
None
Description
The OpenID specification provides 4 ways to log a user out :
- Using front-channel logout methods, which will include iframes injected in the user browser : https://openid.net/specs/openid-connect-session-1_0.html / https://openid.net/specs/openid-connect-frontchannel-1_0.html
- Using a back-channel logout, where the relying party (XWiki) makes a request to the OpenID Provider in order to log the user out : https://openid.net/specs/openid-connect-backchannel-1_0.html This is the method currently implemented
- Using a redirect that will send the user to the logout URL of the OpenID Provider, thus terminating its session : https://openid.net/specs/openid-connect-rpinitiated-1_0.html
Unfortunately, back-channel logout is not supported by every OpenID providers. The goal of this issue will be to add support for multiple logout methods, and to implement the RP-intiated logout for the authenticator.