URL param in logout options from OIDC relying party fails to show
Concerned version
Version: %2.0.13
Platform: Debian Bullseye / Nginx
Summary
Using the param URL in the logout process of an OIDC relying party adds a step in the logout process where an iframe is supposed to be showed (with the content of the URL param page) but I have a "Firefox Can't open this page" instead.
Discussion I had about it:
I'm trying with Nextcloud.
When I log out from NC, I'm redirected to a (portal) page where it asks me to confirm the logout. When I confirms the logout, I'm redirected to another page. On this page, I have a small iframe window under the "Information" category, window that is either a "Firefox Can’t Open This Page" window or the portal auth page (login + passwd form), and 2 buttons under to wait or go on with the process.
I set a html page with some text I would like to have there and when the user confirmed the logout, he's redirected to the portal login page.
But I can't find the correct configuration.
My cloud: cloud.mydomain.tld Logout text msg: cloud.mydomain.tld/logout.html Portal: auth.mydomain.tld
I set in NC config: 'oidc_login_logout_url' => 'https://auth.mydomain.tld/', 'oidc_login_end_session_redirect' => true,
In Oidc plugin doc: // Redirect to this page after logging out the user 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
This config seems to be correct from what I want (-> the user to be back at the portal login page after logout).
In Lemon Manager:
- OpenID Connect Relying Parties -> rp-nextcloud -> Options -> Logout: Allowed redirection addresses for logout: cloud.mydomain.tld/logout.html auth.mydomain.tld URL: cloud.mydomain.tld/logout.html
With this set of params, I have the "Firefox can't open this page" and I see in my nginx log: "GET /logout.html?iss=https%3A%2F%2Fauth.mydomain.tld&sid=userX HTTP/2.0" 200 7 "https://auth.mydomain.tld/" "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "-" "cloud.mydomain.tld"
The answer is 200, so the "Firefox can't open this page" must comes from Lemon and not Nginx, but couldn't find where it's managed.
I tried several variants of these options, without success.
Now, if I could bypass this step completely, the one with the iframe and the 2 buttons asking to wait or go on with the process, I'd be happy too. But I didn't find any option for this.
There seems to be two issues here:
LemonLDAP tries to call the logout URL of the application in an iframe, without having X-Frame-Options correctly set
LemonLDAP tries to iframe the logout URL of the application that has initiated the logout. It should instead filter out the initiating application and only called iframes for other applications.
So, two LemonLDAP bugs for the price of one, you should open an issue about this, we'll take a shot at fixing it.
In the meantime, if you do not specify any "URL" parameter in the Logout configuration of your RP, the iframe will not appear, and logout should work... but only for the application initiating the logout.