Security Issue - Pangolin needs RP-Initiated Logout for OIDC

[Macflurry26]

Summary

When using OIDC with Authentik logging out of Pangolin does not terminate the session with Authentik allowing ANYONE to click the OIDC button and authenticate without providing credentials.

When I log into Pangolin using OIDC a session token is created with Authentik, I use the publicly shared resources and then log out with Pangolin. However this does not end the session token in Authentik. Clicking logout brings you to the login page and any user will think that they are following good security practice to secure their work station but if you click on the OIDC login button it takes you straight back into the resources page as if you were the previous user as the token hasn't been terminated.

Pangolin really needs Single Log Out as it is the entry and exit point that people see for the resources, so they should use that single portal to log in securely and log out securely. At present the only way to end the session is for users to visit an Authentik portal, which is supposed to be invisible to the process, or to force users into another application that supports SLO just to properly end their session.

Motivation

As the idea is to use resources over a public connection, if this session isn't terminated properly then anyone with access to that machine can re-access the resources without authenticating again, even though the user thinks they logged out. Whether it's using a public machine with the next user having access or within an organisation where hotdesks are available and someone with elevated rights or access to sensitive information is followed by someone that shouldn't have that access.

This also means that you can't switch users without forcing the users to go to an Authentik dashboard to properly log the session out.

Proposed Solution

In the OIDC settings page there needs to be a logout URL field that redirects to Authentik/OIDC on logout and then Authentik can use the post-logout redirect URL to return to Pangolins log in page once the session is terminated.

Alternatives Considered

Users either have to manually visit the OIDC provider and access a dashboard to terminate their sessions or be forced to visit an application that supports RP Logout to end their session, which defeats the point of trying to seamlessly integrate SSO.

Additional Context

No response

[oschwartz10612]

You’ve raised a good point regarding session persistence. Your assessment is correct: without RP-Initiated Logout, the Authentik session remains active, creating a possible security risk on shared or public workstations. This is a recognized challenge in OIDC integrations, and implementing a 'Logout URL' to trigger the OIDC end-session endpoint is the standard industry solution to ensure a true Single Log Out experience. We will look into adding support for a post-logout redirect to ensure that ending a Pangolin session securely terminates the provider session as well.

[Macflurry26]

Thank you for the quick response. I've been looking at trying to recommend Pangolin to security conscious customers and everything was looking great until I spotted this. One option that I have is to maintain remote access user accounts separately from internal accounts. This way Pangolin independently handles it's own log in/out sessions and OIDC is only implemented internally at the point users access the resources, not the Pangolin gateway. It means more work maintaining two sets of user accounts and also that users require two sets of credentials but that may not be a bad thing from a "keys to the kingdom" perspective.

Keep up the good work, it is appreciated!!
Stu.