Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Logout trigger OP unauthneticated session creation #1473
After processing oxTrust logout request oxAuth sends next page:
As result browser make 2 requests:
First request calls page which triggered this RP Logout flow. But this led to start authentication flow creation because /logout is protected page. We can add flag to oxtrust session that end_session request was send and refactor code to avoid trigger security excretion when user logged out (after redirect from OP).
The purpose of Front channel logout uri is to clean up RP session and set RP in logout state. Front channel logout uri can be hit by this RP (1) or any other RP (2) that take part in authentication flow. Imagine that RP2 initiated logout, then front channel logout uri is hit, so RP1 goes to logout state too. I think we should not initiate authentication flow for it since we can get many such calls (think about use case when RP does not provide frontchannel_logout_uri thus are not in logout state and as result will hit RP1 logout endpoint) . I guess