Logout from TYPO3

[volkan64]

If the user logs out from OP(OpenID Provider), he is still logged in TYPO3 (cookie).
How to detect if user is still logged in OpenID Provider ?

[xperseguers]

@funkyferdy Did you solve this? I could think of either:

• implementing some "logout" callback to TYPO3 from OP but that would be awkward
• checking session validity with each page call, definitely inefficient
• some scheduler task which invalidates outdated active sessions
• anything else?

[ChrisMuc]

What about backchannel-ing the logout request? For more information, see:

• https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f
• https://medium.com/@piraveenaparalogarajah/openid-connect-back-channel-logout-1-0-fe1f90c83fe5

[funkyferdy]

Missed this question :)

checking session validity with each page call, definitely inefficient
Well this is one of the ways that as example wso2 has to "synchronise" Session.
https://medium.com/@piraveenaparalogarajah/openid-connect-session-management-dc6a65040cc
https://medium.com/@piraveenaparalogarajah/openid-connect-session-management-support-in-wso2-is-8935d80b6437

I think this heavly depends what "vendor" is behind the identity server and version/features avaiable in the solutions regarding this topic.

[xperseguers]

Related (other way) with #75

[theilm]

We solved this by adding additional columns to the fe_sessions table where we save the session_state from the OP after login. We then provide a API route for backchannel logout as suggest by @ChrisMuc that deletes the TYPO3 session with a matching session_state. For this, we had create a new session backend (i.e. extend the existing session backend). I don't know, if this should be part of the oidc extension though.

[liayn]

I think it makes sense to provide a generic logout-URL. Whether this can be used or not of course still depends on the IdP.
Microsoft, for instance, supports logout URLs in the Client registration data.