Logout via OIDC not working/not implemented?

Question

Logout via OIDC not working/not implemented?

kosssi opened this issue 8 months ago · 6 comments

When I logout from my vaultwarden web ui, I prefer logout also on my OIDC (Authelia). By example Nextcloud implements this in its application https://github.com/pulsejet/nextcloud-oidc-login with oidc_login_logout_url variable.

Otherwise from my point of view it is a security vulnerability. Many open source tools do not implement this and clearly it is complicated to explain to non-advanced users.

The same issue on :

Gitea go-gitea/gitea#14270 with more information
Outline outline/outline#3954

Really thank you for the time you spend on this issue.
Hoping that my issue doesn't delay the arrival in a release any further ;)

Answer 1 · 2024-02-01T17:07:21.000Z

Hey,
It's not implemented.
Just checked again and looking at the client code there is a signedOutCallbackPath so something might be possible.

Answer 2 · 2024-02-21T18:27:01.000Z

Hey had a look again and I don't think it's implemented :

The signedOutCallbackPath is present but never used from what I can find.
Logout logic should be there and I don't see anything

Answer 3 · 2024-03-08T16:55:08.000Z

Hey @spatical, sorry to ping you directly, but I believe you have access to a Bitwarden instance with SSO configured.
Can you maybe confirm that OIDC Logout (SLO ?) is not supported or if I need to search again ? :)

Answer 4 · 2024-03-08T17:34:14.000Z

So if it did support SLO, the expectation would be that when I log out of vaultwarden it would also log me out of my SSO provider?

When I log out on vault.bitwarden.com and my SSO is attached to Google, my browser is still logged in to Google even though bitwarden is now logged out.

My opinion is that the logout as is now in vaultwarden is what I would expect.

Answer 5 · 2024-03-08T17:48:44.000Z

Yes my understanding is that it should invalidate you session. But without additional configuration it might not log you out of Google.
After logout if you try to login again do you need to enter your login/password in the SSO or are you directly redirected and just need to unlock the vault ?

Answer 6 · 2024-06-13T13:35:40.000Z

I would also love to see the logout flow to be implemented, e.g. for other services i can configure a logoutUrl, for authentik it is something like https://login.company.org/application/o/vaultwarden/end-session/ when redirected there users get asked to only invalidate the service session or the whole session from idp