Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement hydra logout endpoint #75

Open
jvinolas opened this issue Mar 10, 2021 · 4 comments
Open

Implement hydra logout endpoint #75

jvinolas opened this issue Mar 10, 2021 · 4 comments
Labels
enhancement

Comments

@jvinolas
Copy link

jvinolas commented Mar 10, 2021
edited
Loading

When doing logout from a client app this is the flow happening:

  1. Logout from the app: https://hydra.server/oauth2/sessions/logout
  2. Hydra calls mokey: https://mokey.server/auth/logout (with a post_logout_redirect). Here Hydra expects a flow as is setting a logout_challenge parameter on url (as stated in the documentation: https://www.ory.sh/hydra/docs/concepts/logout/)
  3. Looking at the code, mokey doesn't follow that flow and seems to just revoke Hydra authentication:

    mokey/server/auth.go

    Line 90 in 04fcefd

    func (h *Handler) Logout(c echo.Context) error {
    and after that just redirects to /auth/login

    mokey/server/auth.go

    Line 99 in 04fcefd

    return c.Redirect(http.StatusFound, Path("/auth/login"))
    but, as it has no login_challenge as when it comes from an app, it will not follow the OpenID flow to the app again.

As stated on hydra documentation, there is a flow and there is a post_logout_redirect_uri where the user should be redirected after logout (and also an optional logout consent page). As I understand mokey should get that post redirect parameter from the logout flow from hydra and in the end redirect there (to the app), so when the user wants to log in again, the app will redirect with the login_challenge parameter from hydra (login flow).

Is the logout flow missing in mokey? Or am I misunderstanding the OpenID logout flow?
@jvinolas
Copy link
Author

As a workaround now I just replaced the logout redirect in auth.go to return c.Redirect(http.StatusMovedPermanently, "https://myapp.server") and it works as the app brings back to mokey login with the login_challenge.

@jvinolas
Copy link
Author

I've found that my workaround is not working as now when coming from hydra there is no mokey cookie (no sid or user found in session) and then the hydra revoke fails.

@aebruno
Copy link
Member

aebruno commented Mar 11, 2021

Is the logout flow missing in mokey? Or am I misunderstanding the OpenID logout flow?

Yes, this logout flow is not implemented in mokey. Currently, the logout just revokes the hydra session using the admin api.

@jvinolas
Copy link
Author

Any plans to implement it to accomplish OpenID standard with hydra? Thanks

@aebruno aebruno changed the title Hydra logout flow Implement hydra logout endpoint Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aebruno @jvinolas