FYI, we have actually run into the same problem (it seems to affect not just the delegation flow) and refreshed this topic in this new thread: CAS ignores post_logout_redirect_uri when default login/logout URL is set <https://groups.google.com/a/apereo.org/g/cas-user/c/Xr80XTJ4yj0/>.
On Sunday, 2 May 2021 at 13:30:51 UTC+2 Mahmoud Elnahrawy wrote: > Can tell me what exactly did to solve your problem please , i have same > you case > please explain in detail > > في الخميس، 25 فبراير 2021 في تمام الساعة 12:28:42 م UTC+3، كتب > [email protected] رسالة نصها: > >> Hello everybody. >> >> I have understood better the reason of that behavior. It's not true that >> Oidc logout flow doesn't come into play. It builds a redirection for the >> client to go to external Identity Provider logout url. >> But if "cas.logout.redirectUrl" is defined, also that works as a >> redirection built for the client. In that case, the Oidc logout redirection >> gets overridden by the latter one. >> If I undefine that general logout configuration, Oidc logout redirection >> works. But the outcome is to have no redirection at all after logout, and >> this seems quite bad. >> >> In my opinion, instead of "overriding", the Oidc logout flow should be >> "merged" with that "cas.logout.redirectUrl" by building a redirection >> request for external provider that adds a "redirect_uri" query parameter in >> the Oidc request: so after logout from the external provider, the client >> gets redirected again to the final logout destination. But at the moment >> this seems not considered by current implementation of >> "cas-server-support-pac4j-authentication" and "pac4j-oidc" libraries. >> >> I hope this hint can help anyone with same issue. I don't know if I can >> suggest a feature request. >> Thank you very much. >> >> Vincenzo Colonnella >> >> Il giorno giovedì 18 febbraio 2021 alle 18:20:51 UTC+1 Vincenzo >> Colonnella ha scritto: >> >>> >>> Hello everybody. >>> >>> I am running CAS 6.3.2 and set up Delegated Authentication towards an >>> external OpenID Connect service based upon Keycloak. >>> Authentication works fine, I get back a Principal with ID taken from the >>> "preferred_username" field. >>> >>> But when application logs out from CAS, the session against the external >>> provider keeps alive and further authentication attempts go through without >>> credential submission. >>> It seems that the Pac4J OidcLogoutActionBuilder does not come into play >>> also if it should, I am having an hard time to tell why. >>> When KeycloakOidcClient is created, OidcLogoutActionBuilder seems to be >>> built and logoutUrl is correct (but I had to explicitly set it in >>> configuration, otherwise it was null). >>> >>> I cannot understand why the authentication flow misses that logout step, >>> I believe CAS server should send a request to that logoutUrl when client >>> ticket is destroyed. >>> >>> Dependencies in build.gradle: >>> compile >>> "org.apereo.cas:cas-server-support-jdbc-drivers:${casServerVersion}" >>> compile >>> "org.apereo.cas:cas-server-support-jpa-ticket-registry:${casServerVersion}" >>> compile >>> "org.apereo.cas:cas-server-support-jpa-service-registry:${casServerVersion}" >>> compile "org.apereo.cas:cas-server-support-jdbc:${casServerVersion}" >>> compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}" >>> compile >>> "org.apereo.cas:cas-server-support-pac4j-webflow:${casServerVersion}" >>> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}" >>> compile "org.apereo.cas:cas-server-support-rest:${casServerVersion}" >>> compile >>> "org.apereo.cas:cas-server-support-reports:${casServerVersion}" >>> compile >>> "org.apereo.cas:cas-server-support-openid:${casServerVersion}" >>> compile >>> "org.apereo.cas:cas-server-core-authentication-api:${casServerVersion}" >>> compile >>> "org.apereo.cas:cas-server-core-api-configuration-model:${casServerVersion}" >>> >>> CAS Configuration: cas.properties (attached) >>> >>> Service json: general-1001.json (attached) >>> >>> Sample log: sample.log (attached) >>> >>> Thank you very much. >>> Vincenzo Colonnella >>> >>> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cc7beb9-9f90-47be-9202-8244be2647a9n%40apereo.org.
