Hello,
we’ve using mod_auth_openidc on an current apache to secure a bunch of apps.
I’ve followed
and the Quickstart at
My auth_openidc.conf looks like this:
OIDCProviderMetadataURL https://[CLIENT_NAME].eu.auth0.com/.well-known/openid-configuration
OIDCClientID [ID_PROVIDED_BY_AUTH0]
OIDCClientSecret [SECRET_PROVIDED_BY_AUTH0]
OIDCSessionInactivityTimeout 300
OIDCSessionMaxDuration 3600
OIDCCookieDomain subdomain.domain.tld
OIDCProviderCheckSessionIFrame https://subdomain.domain.tld/on/redirect_uri?session=iframe_op
#OIDCProviderEndSessionEndpoint https://[CLIENT_NAME].eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fsubdomain.domain.tld%2Foff&client_id=V8cYwz0J9rKbgICkWsGiqunhFWtDAyNx
OIDCScope "openid name email"
OIDCRedirectURI https://subdomain.domain.tld/on/redirect_uri/
OIDCCryptoPassphrase [PASSPHRASE_CHOSEN_BY_CLIENT]
<Location /some_location>
AuthType openid-connect
Require valid-user
LogLevel debug
</Location>
After loggin in with the Universal Login, the client got the mod_auth_openidc_session cookie from .subdomain.domain.tld
As stated in:
I send the user to:
https://[CLIENT_NAME].eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fsubdomain.domain.tld%2Foff&client_id=CLIENT_ID_FROM_AUTH0
But since the cookies isn’t removed in this process, the session is still active and the user is not logged out.
Somebody know the correct configuration to process the logout with mod_auth_openidc and auth0?
Thanks, everybody.