What’s the best way to implement logout with a OIDC custom social connection? I checked the documentation here, but it looks like there’s only built in support for the listed identity providers. Is there a way to configure a custom social connection to use an OIDC identity provider’s end_session_endpoint?
It can be done, but you’ll have to work for it
The Custom Social Connections extension works by providing a user interface that under the hood creates a connection with an oauth2
strategy using Management API v2. If you create a connection and then use Management API v2 to read it, you’ll see something like this:
{
"id": "{the_connection_id}",
"options": {
"domain_aliases": [
],
"client_id": "xxxx",
"client_secret": "xxxx",
"scripts": {
"fetchUserProfile": "[...] // the script"
},
"authorizationURL": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
"tokenURL": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
"scope": "openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/Mail.Read"
},
"strategy": "oauth2",
"name": "{the_connection_name}",
"is_domain_connection": false,
"realms": [
"{the_connection_name}"
],
"enabled_clients": [
// the list of client ids for which the connection is enabled
]
}
Now, if you want logout support, you will have to use the Management API v2’s PATCH connection endpoint to add either:
-
options.logoutUrl
and set it to a fixed logout URL value. -
options.scripts. getLogoutUrl
which takes a script capable of dynamically generating the logout URL based on the context (e.g. areturnTo
URL that you might want to provide). This script should be of thefunction(query, callback)
format, wherequery
will be an object that contains the query string that initiated the logout request. If successful, the script should returncallback(null, theLogoutUrl)
.
Remember that when changing the options
object you need to provide the full content, so you will have to read it first, add the new property, and send the full object in the body of the PATCH
request. E.g.:
PATCH /api/v2/connections/{connection_id}
{
"options" : {
[...] // all existing options,
"logoutUrl": "https://myidp.com/end_session"
}
}
Also, if you use the UI after setting any of these options and click Save, the custom property you set before will be lost.
I’ve added a GH issue requesting direct support for this in the UI: Support for logout · Issue #32 · auth0/custom-social-connections · GitHub. No ETA or anything like that, just to keep track of it.
Great, thank you for the helpful information! Is there documentation out there about the Management API that has information like this? I did look previously at the Management API documentation to see if this could be accomplished, but couldn’t find information with the level of detail like you provided here. Is there another location that might have this documented?
Unfortunately what I described above is not in the public documentation. The Product team is aware that we should document in more details certain aspects (like the options
object structure for different connection strategies), so hopefully this will be addressed in the near future
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.