Custom Social Connection - Federated Logout

It can be done, but you’ll have to work for it :slight_smile:

The Custom Social Connections extension works by providing a user interface that under the hood creates a connection with an oauth2 strategy using Management API v2. If you create a connection and then use Management API v2 to read it, you’ll see something like this:

  {
    "id": "{the_connection_id}",
    "options": {
      "domain_aliases": [
        
      ],
      "client_id": "xxxx",
      "client_secret": "xxxx",
      "scripts": {
        "fetchUserProfile": "[...] // the script"
      },
      "authorizationURL": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
      "tokenURL": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
      "scope": "openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/Mail.Read"
    },
    "strategy": "oauth2",
    "name": "{the_connection_name}",
    "is_domain_connection": false,
    "realms": [
      "{the_connection_name}"
    ],
    "enabled_clients": [
      // the list of client ids for which the connection is enabled
    ]
  }

Now, if you want logout support, you will have to use the Management API v2’s PATCH connection endpoint to add either:

  • options.logoutUrl and set it to a fixed logout URL value.
  • options.scripts. getLogoutUrl which takes a script capable of dynamically generating the logout URL based on the context (e.g. a returnTo URL that you might want to provide). This script should be of the function(query, callback) format, where query will be an object that contains the query string that initiated the logout request. If successful, the script should return callback(null, theLogoutUrl).

Remember that when changing the options object you need to provide the full content, so you will have to read it first, add the new property, and send the full object in the body of the PATCH request. E.g.:

PATCH /api/v2/connections/{connection_id}

{
  "options" : { 
    [...] // all existing options,
    "logoutUrl": "https://myidp.com/end_session"
  }
}

Also, if you use the UI after setting any of these options and click Save, the custom property you set before will be lost.

I’ve added a GH issue requesting direct support for this in the UI: Support for logout · Issue #32 · auth0/custom-social-connections · GitHub. No ETA or anything like that, just to keep track of it.

1 Like