Sign-out of issuer-web after credential is issued successfully
esune opened this issue · 5 comments
After a credential is successfully issued, the user should be automatically signed-out of the web application to prevent automatic access (without further authentication) to other services.
Currently a local sign-out is performed, however the local session seems to persist.
The issue appears to be caused by the cookies set when signing-in with Keycloak, that remain in the browser.
A solution could be manually removing those cookies to reset the state of the authentication.
I believe there is an endpoint you can call to logout and invalidate the cookies. We've seen similar on other projects integrating with SiteMinder IDPs through KeyCloak. The applications have to do a dual logout, one with KeyCloak and one directly with the SiteMinder IDP. In this case it's likely only the first step that needs to be performed.
Yes, that is the standard logout procedure. I am looking at the docs for the oidc adapter, however usually triggering a provider logout means that a redirect is activated (webapp -> IdP logout -> webapp or other URL) and I am trying to silently kill the session without navigating away from my page.
It appears that it is not possible to completely sign out of the IdP without going through a redirect to invalidate the session. I will open an issue with the library maintainer to see if something could be done, but as it stands now even refactoring the webapp to expose an unprotected "success" page would not be really feasible since the post_logout_redirect_uri points to a value set in the OIDC configuration - which is the homepage, used for standard sign-out task when clicking the button in the header.
See this issue.