OIDC: missing logout link

[diginote]

Version:

• listmonk: v4.0.1
• OS: official container image

Description of the bug and steps to reproduce:
No Logout URL definition for OAuth-Providers (OIDC). When user click logout you need to call a link of the OAuth-Provider with a redirect to the domain where listmonk is accessable. Currently listmonk do not have an option to define an logout URL in the OIDC SSO settings und the logout is only locally. The session on the OAuth-Provider is not closed. Therfore you are not really logged out. When you click on the login button the next time you will be redirected to the OIDC-Provider where your session is active und you will be immediately redirected to listmonk again without an input of your credentials.

Expected behavior
When I logout you have to call the OAuth-Provider endpoint with a redirect url to listmonk domain. For that you need to define that endpoint in the OIDC SSO settings. Currently there is no such setting and the logout link is wrong when you use OIDC.

More information here:

• https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f
• https://keycloak.discourse.group/t/logging-out-with-oidc-post-redirect-uri-and-client-id/19343

[knadh]

When you click on the login button the next time you will be redirected to the OIDC-Provider where your session is active und you will be immediately redirected to listmonk again without an input of your credentials.

Are you referring the session on the OIDC provider (eg: Google) being active? It is very unusual for an oAuth application to sign the user out of the OAuth provider and all sessions. I haven't seen this in action anywhere. I can see that the spec has been added recently, but this isn't a bug. Can you cite some examples of applications that support this?

[diginote]

Yes, I mean the session on the OIDC provider. It's like a single sign-on where I only have to sign in once. Single sign-out means that I don't have to log in every application. It is enough if I log out in one application. See here example: single sign-out: https://developers.redhat.com/articles/2022/12/07/how-implement-single-sign-out-keycloak-spring-boot

Our users were irritated that they were logged in again after logging out without entering their access data. The question was: How can we really logout?

[kosssi]

I thinks it's a good feature. Non-technical users can't understand why when they clic on logout it's not really logout ;)

I used this softwares which implement this:

• Grist with env optional variable GRIST_OIDC_IDP_END_SESSION_ENDPOINT. I use it with my Authelia url and a redirect to a platform : https://auth.blabla.com/logout?rd=https://apps.blabla.com
• Nextcloud with oidc_login_logout_url
• Outline with OIDC_LOGOUT_URI
• Vikunja with logouturl

I find it important for security ;)

[knadh]

That's very helpful @kosssi.

listmonk uses the coreos/go-oidc package. Looks like it does not support backchannel logout yet: coreos/go-oidc#211

Let me comment on the issue there and see 🤞