OIDC `logout_redirect` automatically logs user back with IdP cookie set

Get Help
1

Hello,

We are setting up an Open OnDemand test server, using OIDC for authentication. So far we have been able to login without an issue. We have logout_redirect set to “/oidc?logout=https%3A%2F%2Food.test.url” and logouts have generally worked as well.

However, if we set a cookie during the identity provider’s (OneLogin) login process - i.e. select ‘Keep me signed in’ and ‘Remember Me’ - logging out of the OOD interface no longer works. The logged in dashboard page stays open in Firefox while the logout redirect and the automatic login take place in the background. Looking at the Network inspector tab the redirects show as:

 1. https://ood.test.url/oidc?logout=https%3A%2F%2Food.test.url
 2. https://organization.onelogin.com/oidc/2/logout?id_token_hint=[...]&post_logout_redirect_uri=https%3A%2F%2Food.test.url
 3. https://ood.test.url/
 4. https://ood.test.url/pun/sys/dashboard
 5. https://organization.onelogin.com/oidc/2/auth?response_type=code&scope=openid%20profile%20email%20groups&client_id=[...]&state=[...]&redirect_uri=https%3A%2F%2Food.test.url%2Foidc&nonce=[...]&code_challenge=[...]&code_challenge_method=[...]
 6. https://organization.onelogin.com/trust/openid-connect/v2?client_id=\[...\]&ctx=\[...\]&ol_oidc_issuer_url=https%3A%2F%2Forganization.onelogin.com%2Foidc%2F2
 7. https://organization.onelogin.com/oidc/2/auth/[...]/login?ctx=[...]
 8. https://organization.onelogin.com/oidc/2/auth/[...]
 9. https://ood.test.url/oidc?code=[...]
10. https://ood.test.url/pun/sys/dashboard

Here’s our current ood_portal.yml:

lua_log_level: ‘trace5’

servername: ood.test.url
ssl:

* ‘SSLCertificateFile “/etc/pki/tls/certs/httpd.crt”’
* ‘SSLCertificateKeyFile “/etc/pki/tls/private/httpd.key”’

# Use OIDC authentication

auth:

* “AuthType openid-connect”
* “Require valid-user”

# Use OIDC logout

logout_redirect: “/oidc?logout=https%3A%2F%2Food.test.url”

# Capture system user name from authenticated user name

user_map_match: ‘^(\[^@\]+)@.\*$’

oidc_uri: “/oidc”
oidc_provider_metadata_url: “https://organization.onelogin.com/oidc/2/.well-known/openid-configuration”
oidc_client_id: “[client_id]”
oidc_client_secret: “[client_secret]”
oidc_remote_user_claim: “email”
oidc_scope: “openid profile email groups”
oidc_session_inactivity_timeout: 28800
oidc_session_max_duration: 28800
oidc_state_max_number_of_cookies: “10 true”
oidc_settings:
OIDCPassIDTokenAs: “serialized”
OIDCPassRefreshToken: “On”
OIDCPassClaimsAs: “environment”
OIDCStripCookies: “mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1”
OIDCResponseType: “code”

any help is greatly appreciated.

2

After additional testing and some slow back and forth with the OpenID Provider, OneLogin, we just heard back from their support:

After further discussion with our product team, we confirmed that the logout endpoint does not currently work with the “Keep Me Signed In” option. This behavior has not been acknowledged as a defect but rather classified as an enhancement request.

As a workaround we have updated logout_redirect to a public page ("/oidc?logout=https://ood.test.url/public/logout.html") with a warning about the ‘Keep Me Signed In’ option and a link to the OneLogin dashboard to log out from there if needed.

If anyone else uses OneLogin once our ‘enhancement request’ is processed we can post a link as:

Once submitted, the request will be evaluated by our [(OneLogin)] product team and prioritized based on customer votes.

curious to hear if that sounds reasonable, or if anyone has other thoughts or advice. thanks.