Logout issue with OIDC (auth0)


#1

hi
I’m integrating auth0 to Request tracker with apache mod_auth_openidc
login is working so well but the real problem is when logout, it does not logout the user and just redirect to the same page
I tried to put “satisfy any” option in the auth_openidc.conf, logout works but the page is redirected to the initial request tracker page instead of auth0 login page

how can I logout correctly then, redirect to auth0 login page ?


#2

Hello,
as far as I know the (different) external authenticators like WebAuth or Shibboleth, this is the intended behavior (eg feature). You have to realize that in RT you just leave the authentication to some external system and creates a session on the basis of that external authenticator statement. Logout in RT does not have anything to do with external authenticator, it logouts you from RT itself and redirect you to the RT login page. Then RT realizes that you are authenticated via external provider so it login you again. It’s like logout from google drive and stay logged in google mail. You can’t simply do that.

To accomplish RT logout with external authenticator you should modify logout so it deletes the session (cookie?) of the external authenticator. But that logouts you also from every other authenticated session in different applications than RT.

Petr