End Session Endpoint Support in Dex

[matt-coppola]

The Ask:

I would like to get feedback on my proposal to implement an end_session_endpoint in Dex. I plan to implement the proposed changes and create a pull request for it and would like some feedback / opinions from the maintainers of Dex and the community.

Introduction:

This draft OIDC spec https://openid.net/specs/openid-connect-session-1_0.html defines a method for clients to end their session with the upstream provider. Dex currently has no support for this but as a transparent OIDC connector I believe it should, in that it should support ending the session with the upstream. I understand Dex has no concept of sessions but the upstream providers (Active Directory for instance) do. As such there is no way currently for a client to end it's upstream session via Dex.

I am aware of the following two tickets related to session management in dex:
#963
#1677

I believe my request differs from these in that Dex in order to be a transparent OIDC provider needs to support interacting with upstreams (some of which) have the concept of a session. My understanding is that from the clients perspective there should be no difference in behaviour if it authenticated with the upstream provider directly, or authenticated with the upstream provider via dex.

Proposal:

The changes I intend to implement are as follows:

Expose an end_session_endpoint for dex. This endpoint would be expect the ID Token hint and optional parameters specified here: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout. The endpoint handler would in turn lookup the provider that issued the ID token and forward the request to the upstream providers end_session_endpoint. It would return a redirect to the client to bring them to the logout URL for the upstream. If the upstream provider does not support an end_session_endpoint, this handler would log and return.

It order to facilitate this I would need to store a mapping of the ID Token, to the provider who issued
it (or at least the end session endpoint of the provider).

Thank you for your time and consideration.

[Asuforce]

Sounds nice. I need this function 👍

[al45tair]

Rather than storing a mapping of the ID token to the issuing provider, why not put the issuing provider into the ID token as a custom claim? That way there's no extra storage requirement.

[nbjohnson]

Are there any updates on this? I need support to be able to logout of SSO in the OIDC connector. OIDC provides a end_session_endpoint return, is it possible to use that to implement a logout?

[Raboo]

I just encountered this when I tried to get StackGres working with dex. Well it doesn't.
Created an issue in the StackGres repo, perhaps they will work around this lack of implementation that dex has.
https://gitlab.com/ongresinc/stackgres/-/issues/2125

[m44soroush]

Please implement this feature, it's really useful.