Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only redirect the user to a configured logout page if the logout was user-initiated #25569

Open
dhenneke opened this issue Jun 12, 2023 · 1 comment
Open

Only redirect the user to a configured logout page if the logout was user-initiated #25569

dhenneke opened this issue Jun 12, 2023 · 1 comment
Labels
A-Logout Logout, sign out, etc. O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect X-Needs-Product More input needed from the Product team

Comments

@dhenneke
Copy link
Contributor

Steps to reproduce

  1. Configure a logout_redirect_url that points to e.g. the KeyCloak logout url as proposed in Custom redirect location after logout #15829.
  2. Sign out the session from another device (or via the back-channel-logout or admin api).

Outcome

What did you expect?

The session is stopped and the user sees the login page to login again. The logout_redirect_url should only come into effect if the user explicitly logouts of the session from the Element UI itself.

What happened instead?

The session is stopped and the user is forwarded to the configured logout URL. It is confusing when a logout happened in the background and the user is unexpectedly forwarded to the logout endpoint when they open Element in the browser.

Operating system

No response

Browser information

No response

URL for webapp

Private server

Application version

1.11.31

Homeserver

Synapse 1.78.0

Will you send logs?

No
@t3chguy
Copy link
Member

t3chguy commented Jun 15, 2023
edited
Loading

I don't think this is quite so clear cut, as the point of this option is to logouts in sync, but given there's many things which can invalidate Matrix Access Tokens (including yourself from other devices, admins, etc) if only local logouts are sent to the SLO URL then it'll leave a gap for other logouts to desync the logged in state. Ideally the server would drive the SLO behaviour, as part of /logout the server should be able to be configured to pass a redirect URL which should be followed if provided, that way the server could skip the redirect URL if the IDP was the one that instigated the logout to begin with.

The docs for the option say:

  1. logout_redirect_url: Optional URL to redirect the user to after they have logged out. Some SSO systems support a page that the
    user can be sent to in order to log them out of that system too, making logout symmetric between Element and the SSO system.

which talks about aligning logout state between Element (Matrix) and the SSO IDP, if we only redirect sometimes that breaks.

@t3chguy t3chguy added the X-Needs-Product More input needed from the Product team label Jun 15, 2023
@kittykat kittykat added S-Minor Impairs non-critical functionality or suitable workarounds exist O-Uncommon Most users are unlikely to come across this or unexpected workflow A-Logout Logout, sign out, etc. labels Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Logout Logout, sign out, etc. O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect X-Needs-Product More input needed from the Product team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kittykat @dhenneke @t3chguy