Custom Social Connection - Federated Logout

amisson · December 31, 2018, 9:45pm

What’s the best way to implement logout with a OIDC custom social connection? I checked the documentation here, but it looks like there’s only built in support for the listed identity providers. Is there a way to configure a custom social connection to use an OIDC identity provider’s end_session_endpoint?

nicolas_sabena · December 31, 2018, 10:48pm

It can be done, but you’ll have to work for it

The Custom Social Connections extension works by providing a user interface that under the hood creates a connection with an oauth2 strategy using Management API v2. If you create a connection and then use Management API v2 to read it, you’ll see something like this:

  {
    "id": "{the_connection_id}",
    "options": {
      "domain_aliases": [
        
      ],
      "client_id": "xxxx",
      "client_secret": "xxxx",
      "scripts": {
        "fetchUserProfile": "[...] // the script"
      },
      "authorizationURL": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
      "tokenURL": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
      "scope": "openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/Mail.Read"
    },
    "strategy": "oauth2",
    "name": "{the_connection_name}",
    "is_domain_connection": false,
    "realms": [
      "{the_connection_name}"
    ],
    "enabled_clients": [
      // the list of client ids for which the connection is enabled
    ]
  }

Now, if you want logout support, you will have to use the Management API v2’s PATCH connection endpoint to add either:

options.logoutUrl and set it to a fixed logout URL value.
options.scripts. getLogoutUrl which takes a script capable of dynamically generating the logout URL based on the context (e.g. a returnTo URL that you might want to provide). This script should be of the function(query, callback) format, where query will be an object that contains the query string that initiated the logout request. If successful, the script should return callback(null, theLogoutUrl).

Remember that when changing the options object you need to provide the full content, so you will have to read it first, add the new property, and send the full object in the body of the PATCH request. E.g.:

PATCH /api/v2/connections/{connection_id}

{
  "options" : { 
    [...] // all existing options,
    "logoutUrl": "https://myidp.com/end_session"
  }
}

Also, if you use the UI after setting any of these options and click Save, the custom property you set before will be lost.

I’ve added a GH issue requesting direct support for this in the UI: Support for logout · Issue #32 · auth0/custom-social-connections · GitHub. No ETA or anything like that, just to keep track of it.

amisson · January 2, 2019, 2:24pm

Great, thank you for the helpful information! Is there documentation out there about the Management API that has information like this? I did look previously at the Management API documentation to see if this could be accomplished, but couldn’t find information with the level of detail like you provided here. Is there another location that might have this documented?

nicolas_sabena · January 2, 2019, 2:42pm

Unfortunately what I described above is not in the public documentation. The Product team is aware that we should document in more details certain aspects (like the options object structure for different connection strategies), so hopefully this will be addressed in the near future

system · February 1, 2019, 2:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.