auth-oauth2: Add optional OIDC RP-Initiated Logout support#302
Open
dhm-msd wants to merge 1 commit into
Open
Conversation
Store the id_token, end_session_endpoint URL, client_id, and post_logout_redirect_uri in the OAuth session at login time. On logout, redirect the browser to the IdP's end_session_endpoint so the IdP session is also terminated. Feature is opt-in via two new optional fields on the plugin instance config (Logout Endpoint, Post-Logout Redirect URI). When blank, signOut behaves identically to before — only the local PHP session is cleared.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
auth-oauth2plugin currently only clears the local PHP session onlogout. For OIDC providers (e.g. Keycloak, Okta), the IdP session stays
alive — clicking login again silently re-authenticates the user without
any credential prompt.
This PR implements RP-Initiated Logout (OIDC spec §5):
after clearing the local session, the plugin redirects the browser to the
IdP's
end_session_endpointwithid_token_hint,client_id, andpost_logout_redirect_uri. The IdP terminates its own session andredirects the user back to osTicket.
Changes
config.phpgetLogoutUrl()andgetPostLogoutRedirectUri()getters toOAuth2ConfigurlLogout) — the IdP'send_session_endpointurlPostLogout) — where to land after IdP logout; defaults to the osTicket base URLoauth2.phpToken::getIdToken()— extracts the OIDCid_tokenfrom the token response (stored automatically by the League OAuth2 client ingetValues())OAuth2AuthenticationTrait::callback()— savesid_token,logout_url,post_logout_uri, andclient_idinto the existing$_SESSION[':oauth'][{id}]session namespace at login timeOAuth2AuthenticationTrait::signOut()— reads those values, callsparent::signOut()to clear the local session, then redirects to the IdP logout URL if one is configuredBackward compatibility
The feature is opt-in: when
urlLogoutis left blank (the default forall existing instances),
signOut()behaves identically to before — onlythe local session is cleared, no redirect occurs.
Configuration (Keycloak example)
In the plugin instance settings, set:
https://{keycloak-host}/realms/{realm}/protocol/openid-connect/logouthttps://{osticket-host}/(must be registered as a valid post-logout redirect URI in the IdP client)Scopes must include
openidso the IdP issues anid_tokenalongside the access token.