Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75033

OAuth2 single sign out (aka "RP-initiated logout")

XMLWordPrintable

    • MOODLE_311_STABLE
    • feature/oauth2-logout
    • Hide
      1. Configure an OAuth provider (using the following procedure : https://docs.moodle.org/400/en/OAuth_2_services) that supports the `end_session_endpoint`. I've seen Azure AD does support that, and I can imagine this is pretty common nowadays. I use keycloak for my tests, and I can send you some credentials if you want to test with my server.
      2. With the current version :
        1. Click on the OAuth provider button
        2. Enter your credentials
        3. Log out from moodle
        4. Click the OAuth button to log in again
        5. Confirm that you are logged in without being prompted your credentials
        6. Log out again and close your browser
      3. Apply the fix on your code
      4. Do the procedure again from step 2.1 though 2.4, then
        1. Confirm that you are now required to enter your credentials again
        2. Enter your credentials
        3. Log out from moodle
        4. Verify that you are redirected to the logout page of your identity provider (which may ask for confirmation before logging out)
        5. Verify that you are redirected back to the moodle page.
      Show
      Configure an OAuth provider (using the following procedure : https://docs.moodle.org/400/en/OAuth_2_services ) that supports the `end_session_endpoint`. I've seen Azure AD does support that, and I can imagine this is pretty common nowadays. I use keycloak for my tests, and I can send you some credentials if you want to test with my server. With the current version : Click on the OAuth provider button Enter your credentials Log out from moodle Click the OAuth button to log in again Confirm  that you are logged in without being prompted your credentials Log out again and close your browser Apply the fix on your code Do the procedure again from step 2.1 though 2.4, then Confirm  that you are now required to enter your credentials again Enter your credentials Log out from moodle Verify  that you are redirected to the logout page of your identity provider (which may ask for confirmation before logging out) Verify  that you are redirected back to the moodle page.

      I want to be able to use moodle with OpenId Connect/ OAuth2, using keycloak as the identity provider.

      Everything works well with the built-in OAuth2 plugin, except that logging out of moodle doesn't log the users out using the OAuth2 server.

       

      This is a problem because my users use a shared computer, they log in using their account, and when they log out, they only log out of moodle. The next user would just click on the SSO button and gets authenticated as the previous user, without being prompted a password.

       

      My proposal

      • Optional : Add a checkbox on the OAuth IdentityProvider configuration page to enable "federated logout". The new behavior would be enabled only if checked.
      • Take into account the end_session_endpoint. On logout, the user is redirected to this page, with the following parameters:

        • post_logout_redirect_uri : The URL where the user will be redirected after logout.
        • id_token_hint: The ID token of the user (this is required by keycloak at least)
        • state: If there is something to pass...

      Basically, what I want is described here : https://openid.net/specs/openid-connect-rpinitiated-1_0.html

       

            Unassigned Unassigned
            jeremyvignelles jeremyVignelles
            Votes:
            5 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.