we’ve using mod_auth_openidc on an current apache to secure a bunch of apps.
and the Quickstart at
My auth_openidc.conf looks like this:
OIDCProviderMetadataURL https://[CLIENT_NAME].eu.auth0.com/.well-known/openid-configuration OIDCClientID [ID_PROVIDED_BY_AUTH0] OIDCClientSecret [SECRET_PROVIDED_BY_AUTH0] OIDCSessionInactivityTimeout 300 OIDCSessionMaxDuration 3600 OIDCCookieDomain subdomain.domain.tld OIDCProviderCheckSessionIFrame https://subdomain.domain.tld/on/redirect_uri?session=iframe_op #OIDCProviderEndSessionEndpoint https://[CLIENT_NAME].eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fsubdomain.domain.tld%2Foff&client_id=V8cYwz0J9rKbgICkWsGiqunhFWtDAyNx OIDCScope "openid name email" OIDCRedirectURI https://subdomain.domain.tld/on/redirect_uri/ OIDCCryptoPassphrase [PASSPHRASE_CHOSEN_BY_CLIENT] <Location /some_location> AuthType openid-connect Require valid-user LogLevel debug </Location>
After loggin in with the Universal Login, the client got the mod_auth_openidc_session cookie from .subdomain.domain.tld
As stated in:
I send the user to:
But since the cookies isn’t removed in this process, the session is still active and the user is not logged out.
Somebody know the correct configuration to process the logout with mod_auth_openidc and auth0?