Hello,
We are setting up an Open OnDemand test server, using OIDC for authentication. So far we have been able to login without an issue. We have logout_redirect set to “/oidc?logout=https%3A%2F%2Food.test.url” and logouts have generally worked as well.
However, if we set a cookie during the identity provider’s (OneLogin) login process - i.e. select ‘Keep me signed in’ and ‘Remember Me’ - logging out of the OOD interface no longer works. The logged in dashboard page stays open in Firefox while the logout redirect and the automatic login take place in the background. Looking at the Network inspector tab the redirects show as:
1. https://ood.test.url/oidc?logout=https%3A%2F%2Food.test.url
2. https://organization.onelogin.com/oidc/2/logout?id_token_hint=[...]&post_logout_redirect_uri=https%3A%2F%2Food.test.url
3. https://ood.test.url/
4. https://ood.test.url/pun/sys/dashboard
5. https://organization.onelogin.com/oidc/2/auth?response_type=code&scope=openid%20profile%20email%20groups&client_id=[...]&state=[...]&redirect_uri=https%3A%2F%2Food.test.url%2Foidc&nonce=[...]&code_challenge=[...]&code_challenge_method=[...]
6. https://organization.onelogin.com/trust/openid-connect/v2?client_id=\[...\]&ctx=\[...\]&ol_oidc_issuer_url=https%3A%2F%2Forganization.onelogin.com%2Foidc%2F2
7. https://organization.onelogin.com/oidc/2/auth/[...]/login?ctx=[...]
8. https://organization.onelogin.com/oidc/2/auth/[...]
9. https://ood.test.url/oidc?code=[...]
10. https://ood.test.url/pun/sys/dashboard
Here’s our current ood_portal.yml:
lua_log_level: ‘trace5’
servername: ood.test.url
ssl:
* ‘SSLCertificateFile “/etc/pki/tls/certs/httpd.crt”’
* ‘SSLCertificateKeyFile “/etc/pki/tls/private/httpd.key”’
# Use OIDC authentication
auth:
* “AuthType openid-connect”
* “Require valid-user”
# Use OIDC logout
logout_redirect: “/oidc?logout=https%3A%2F%2Food.test.url”
# Capture system user name from authenticated user name
user_map_match: ‘^(\[^@\]+)@.\*$’
oidc_uri: “/oidc”
oidc_provider_metadata_url: “https://organization.onelogin.com/oidc/2/.well-known/openid-configuration”
oidc_client_id: “[client_id]”
oidc_client_secret: “[client_secret]”
oidc_remote_user_claim: “email”
oidc_scope: “openid profile email groups”
oidc_session_inactivity_timeout: 28800
oidc_session_max_duration: 28800
oidc_state_max_number_of_cookies: “10 true”
oidc_settings:
OIDCPassIDTokenAs: “serialized”
OIDCPassRefreshToken: “On”
OIDCPassClaimsAs: “environment”
OIDCStripCookies: “mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1”
OIDCResponseType: “code”
any help is greatly appreciated.