I hope to be wrong but... Reviewing project code I see that out that the configuration is made in the WebSecurityConfiguration <https://github.com/DSpace/DSpace/blob/dspace-7.5/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/WebSecurityConfiguration.java> : // Logout configuration .logout() // On logout, clear the "session" salt .addLogoutHandler(customLogoutHandler) // Configure the logout entry point & require POST .logoutRequestMatcher(new AntPathRequestMatcher("/api/authn/logout", HttpMethod.POST.name())) // When logout is successful, return OK (204) status .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT)) // Everyone can call this endpoint .permitAll() .and()
So there is no way to custom logout behavior. And investigating a little more about the "the action or (and) return parameter" I found the following push request with everything we would like to have: Shibboleth Single Logout support #2758 <https://github.com/DSpace/DSpace/pull/2758> Am I missing something? On Saturday, June 17, 2023 at 12:31:57 PM UTC-3 Guillermo Fernández wrote: Hello, Actually we prepare DSpace 7.5 for login using Shibboleth and it is working fine but the logout endpoint only dispose the server side session. It does not d anything (like a redirect) to logout the Shibboleth Service Provider session. The documentation about the API DSPACE/REST+Authentication <https://wiki.lyrasis.org/display/DSPACE/REST+Authentication> refers to RestContract Authentication <https://github.com/DSpace/RestContract/blob/main/authentication.md> It says for "POST /api/authn/logout" "...This invalidates the token on the server side which will results in logging out the user *on every device or browser*. It can also be called with params *action* and *return*, required by the Shibboleth Single Logout (front channel), with the same behaviour...." We are using the DSpace UI AngularJS Frontend. The Logout Button makes a POST request to the logout endpoint and we didn't find a configuration option to set de Shibboleth.sso/Logout URL. We can internal rerwrite that POST request to set the *action* or *return* parameter "required by the Shibboleth", but we don't know what the endpoint expects. Any example of invoking the logout endpoint within the parameters would be appreciated. Thanks in advance! Regards Guillermo -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/a57e3677-0cb1-420c-9b2f-a53d9fa4cbe0n%40googlegroups.com.
