Require a redirect flow for end_session endpoint handling

[markphillips100]

I've forked here and added support for the end_session endpoint similar to the existing authorize endpoint. It's working for my purposes.

Rather than submit a pull request, and in the spirit of the contributing guidelines, I thought I'd best ask if this is the direction you want to go?

[tikurahul]

Hi @markphillips100. Sorry about the delay. I promise to take a look at this soon. Is there a public provider implements end session handling ? Also, is there an RFC that I can look it ?

[markphillips100]

I only know of the open id specs: http://openid.net/specs/openid-connect-session-1_0-00.html. As for support from public openid providers I imagine all that say they are "open id compliant" would implement the end_session (single sign-out) endpoint. As an example, AAD v2.0 does: AAD single sign-out.

If you want an example of a really good JS client library implementing all the openid endpoints I highly recommend oidc-client-js. It's specifically written for Single-Page App Javascript clients using the Implicit flow so not suitable for a native app. However, its use of end_session, token, and also quite importantly, jwks_uri endpoint for validation should be useful examples.

[WilliamDenniss]

This is the current draft of the logout spec http://openid.net/specs/openid-connect-session-1_0.html#RPLogout (Section 5, in draft 28), and what we implemented in AppAuth for iOS. Note that the one linked in the previous comment is a very old draft (version -00) that should not be used. As a warning, the FrontChannel draft contains some duplicated information is also a little out of sync – so be sure to use the correct authoritative draft for Logout.

Before implementing EndSession on iOS, we refactored APIs related to opening the Authorization Request in the user agent, and made them generic. That was done in: openid/AppAuth-iOS#212. So now "Authorization Requests" and "End Session" requests are specializations of a generic "External User Agent" request. Once that change was made, supporting EndSession was fairly simple.

[WilliamDenniss]

See also the same feature request for AppAuth for Android.

[markphillips100]

@tikurahul is it likely that this library will support something like what @WilliamDenniss described? So, assuming end session and user info endpoints don't get implemented, we can at least extend the library for that support.

My fork adds support for end session and userinfo because I need them but would prefer a way of extending the library externally. I admit I haven't looked at the v1 release to see if I still need to do this.

[tikurahul]

AppAuth-JS 1.0 does not yet support the end session redirect handler and the userInfo API. Both I think would be very useful to have. There are some structural changes in AppAuth-JS 1.0, but for the most part your commits look very reasonable additions to the library. When you say you wanted to extend the library - were you referring to dedicated APIs ? You have already extended the library afaict. 😃

[markphillips100]

I was only referring to those two

…

On Wed., 10 Oct. 2018, 7:53 am Rahul Ravikumar, ***@***.***> wrote: AppAuth-JS 1.0 does not yet support the end session redirect handler and the userInfo API. Both I think would be very useful to have. There are some structural changes in AppAuth-JS 1.0, but for the most part your commits look very reasonable additions to the library. When you say you wanted to extend the library - were you referring to dedicated APIs ? You have already extended the library afaict. 😃 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#52 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AF8zNWL-LvusNdS74SDchLOKvLyKfhIBks5ujRrkgaJpZM4StIDs> .

[nmocruz]

there's any estimate for integrate this? I think that end session i really important, build an app and don't let the user to sign-out or end the session is like to deliver something incomplete

[wi3land]

If you are using ionic you could use my package, it is built off app-auth-js and included both user info and end session handlers. ionic-appauth

[nmocruz]

still not support for this?

[boehmchen]

Any updates on how to logout/ end_session? I would love to have this feature.

[arssly]

any reason why the end session redirect handler has not yet been added to the library? would you appreciate a PR regarding the end session redirect handler?

[jamesjenkinsjr]

Any updates? Just had this come up in the app I'm currently tasked with working on

[danilocontini]

Still no way to logout/end_session?

[danilocontini]

It works to me:

export const logout = () => AuthorizationServiceConfiguration.fetchFromIssuer(process.env.OPENID_CONFIG_URL, new FetchRequestor())
  .then((configResponse) => {
    const idTokenHint = JSON.parse(window.localStorage.getItem('token'))?.idToken // LocalStorage from browser
    const logoutReqURL = `${configResponse.endSessionEndpoint}?id_token_hint=${idTokenHint}&post_logout_redirect_uri=${process.env.OPENID_REDIRECT_URL}`
    return (window.location.href = logoutReqURL)
  })

[cocoBiturbo]

Hello @danilocontini !

I'm actually doing the same logout/end_session for keycloak and I tried your code but it's only works without the param. With the param I get an error "Invalid parameter: id_token_hint" . The fact is I don't really know what is the idTokenHint. It's the accessToken/refreshToken of the user ? Could you tell me what you put in this variable if you don't mind ?

Have a nice day !

[hb0]

@cocoBiturbo

A bit late, but for future readers:
What danilocontini posted worked for me with Keycloak, you need to inject the idToken which you receive in your token request:

tokenHandler.performTokenRequest(authServiceConfiguration, tokenRequest)
  .then((tokenResponse) => {
    // tokenResponse.idToken   <<<<<<<<<<<<
    ....
  })

In my case I received Invalid parameter: id_token_hint when I accidentally tried to inject the decoded idToken Json object instead of the encoded idToken JWT String, which works.