[
https://issues.apache.org/jira/browse/NIFI-4889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543572#comment-16543572
]
ASF GitHub Bot commented on NIFI-4889:
--------------------------------------
Github user mcgilman commented on the issue:
https://github.com/apache/nifi/pull/2830
@Trojan295 Thanks for the PR! The code looks good but I ran into an issue
when attempting to log out. Despite being a required field in the openid spec
[1], it appears that at least in practice [2] the `end_session_endpoint` field
is not guaranteed to be present. I think we may need to account for this
possibility in the logout endpoint.
[1] https://openid.net/specs/openid-connect-session-1_0.html#OPMetadata
[2] https://accounts.google.com/.well-known/openid-configuration
> Logout not working properly with OIDC
> -------------------------------------
>
> Key: NIFI-4889
> URL: https://issues.apache.org/jira/browse/NIFI-4889
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.5.0
> Environment: Browser: Chrome / Firefox
> Configuration of NiFi:
> - SSL certificate for the server (no client auth)
> - OIDC configuration including end_session_endpoint (see the link
> https://auth.s.orchestracities.com/auth/realms/default/.well-known/openid-configuration)
> Reporter: Federico Michele Facca
> Priority: Critical
>
> Click on logout, i would expect to logout and getting redirect to the auth
> page. But given that the session is not closed on the oauth provider, i get
> logged in again.
> I suppose the solution would be to invoke the end_session_endpoint provided
> in the openid discovery configuration.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
