Users can't logout with mod auth openidc

Hello,

we’ve using mod_auth_openidc on an current apache to secure a bunch of apps.
I’ve followed

and the Quickstart at

My auth_openidc.conf looks like this:

OIDCProviderMetadataURL https://[CLIENT_NAME].eu.auth0.com/.well-known/openid-configuration
OIDCClientID [ID_PROVIDED_BY_AUTH0]
OIDCClientSecret [SECRET_PROVIDED_BY_AUTH0]

OIDCSessionInactivityTimeout 300
OIDCSessionMaxDuration 3600

OIDCCookieDomain subdomain.domain.tld

OIDCProviderCheckSessionIFrame https://subdomain.domain.tld/on/redirect_uri?session=iframe_op
#OIDCProviderEndSessionEndpoint https://[CLIENT_NAME].eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fsubdomain.domain.tld%2Foff&client_id=V8cYwz0J9rKbgICkWsGiqunhFWtDAyNx

OIDCScope "openid name email"
OIDCRedirectURI https://subdomain.domain.tld/on/redirect_uri/
OIDCCryptoPassphrase [PASSPHRASE_CHOSEN_BY_CLIENT]

<Location /some_location>
   AuthType openid-connect
   Require valid-user
   LogLevel debug
</Location>

After loggin in with the Universal Login, the client got the mod_auth_openidc_session cookie from .subdomain.domain.tld

As stated in:

I send the user to:
https://[CLIENT_NAME].eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fsubdomain.domain.tld%2Foff&client_id=CLIENT_ID_FROM_AUTH0

But since the cookies isn’t removed in this process, the session is still active and the user is not logged out.

Somebody know the correct configuration to process the logout with mod_auth_openidc and auth0?

Thanks, everybody.

At this time the Auth0 service does not support the session management or the logout specifications that could be used for built-in integration with mod_auth_openidc.

Having said that it should be possible to have a custom logout flow that would log the end-user both from the Auth0 service and locally as well. For example, if you include a link button in the application pointing to https://[TENANT_DOMAIN]/v2/logout?returnTo=https%3A%2F%2F[MOD_AUTH_OPENIDC_DOMAIN]%2Fprotected%2Fredirect_uri%3Flogout%3Dhttps%253A%252F%252F[MOD_AUTH_OPENIDC_DOMAIN]%252Fpublic&client_id=[CLIENT_ID] then the following should happen:

  1. The navigation to https://[TENANT_DOMAIN]/v2/logout clears the session at the tenant domain level.
  2. Given you specified a returnTo URL the previous step redirects to that URL.
  3. The redirect to https://[MOD_AUTH_OPENIDC_DOMAIN]/protected/redirect_uri?logout=https%3A%2F%2F[MOD_AUTH_OPENIDC_DOMAIN]%2Fpublic then clear the local session and finally redirects to a public page in your application.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.