Sign out of OpenID server without confirmation.

[dmit4git]

Is your feature request related to a problem?

It looks like there there is no option to allow silent sign out of OpenID server.
Orchard Core sets pass-through mode on OpenIdDict logout handler and uses Logout() to process sign out request, which returns confirmation form unless user is already signed out of IdP.

In terms of OpenID, confirmation doesn't seem necessary as long as valid id_token_hint is provided (which is ensured in pass-through mode).

Describe the solution you'd like

Sign out without confirmation unless id_token_hint is invalid.
Update: Add a checkbox to the OpenID server configuration to allow disabling end-user confirmation for RP-initiated logout.

Describe alternatives you've considered

A potential way to make silent sign out work is to disable the pass-through mode on logout request, and let OpenIdDict handle it. One could

disable the pass-through mode on logout request

builder.Services.PostConfigureAll<OpenIddictServerAspNetCoreOptions>(options =>
{
    options.EnableLogoutEndpointPassthrough = false;
});

and use a custom logout event handler that would trigger the sign out

public class CustomLogoutRequestHandler : IOpenIddictServerHandler<OpenIddictServerEvents.HandleLogoutRequestContext>
{
    public static OpenIddictServerHandlerDescriptor Descriptor { get; }
        = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.HandleLogoutRequestContext>()
            .UseSingletonHandler<CustomLogoutRequestHandler>()
            .SetOrder(int.MinValue)
            .SetType(OpenIddictServerHandlerType.Custom)
            .Build();

    public ValueTask HandleAsync(OpenIddictServerEvents.HandleLogoutRequestContext context)
    {
        // Trigger silent sign-out
        context.SignOut();
        
        return default;
    }
}

builder.Services.PostConfigureAll<OpenIddictServerBuilder>(options =>
{
    options.AddEventHandler(CustomLogoutRequestHandler.Descriptor);
});

[kevinchalet]

It looks like there there is no option to allow silent sign out of OpenID server. Orchard Core sets pass-through mode on OpenIdDict logout handler and uses Logout() to process sign out request, which returns confirmation form unless user is already signed out of IdP.

Actually, that was a deliberate design choice, that respects the recommendation ("SHOULD") given by the spec you linked:

At the Logout Endpoint, the OP SHOULD ask the End-User whether to log out of the OP as well.
Furthermore, the OP MUST ask the End-User this question if an id_token_hint was not provided
or if the supplied ID Token does not belong to the current OP session with the RP and/or currently
logged in End-User. If the End-User says "yes", then the OP MUST log out the End-User.

In terms of OpenID, confirmation doesn't seem necessary as long as valid id_token_hint is provided (which is ensured in pass-through mode).

Note: while OpenIddict will always ensure the id_token_hint is not malformed and was really issued by OpenIddict, it doesn't check whether it matches the currently logged in user, which is something you must implement yourself in your logout action, typically by retrieving the identity stored in the id_token_hint via AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme) and comparing it to the one stored in the authentication cookie.

Personally, as a user, I'm never happy when clients decide to log me out "globally" without the authorization server asking me first (specially when there's a cascade-logout policy that also disconnects me from all clients), but I guess everyone has a different POV 😄

[dmit4git]

@kevinchalet Thanks for the comment.
Would it make sense to have the sign-out confirmation be optional, similar to how Auth0 and Keycloak handle it?
In some scenarios confirmation may not be wanted, such as when IdP has only one client app.
I'll update feature request in the initial comment to make silent sign-out optional.

[sebastienros]

It's fine to have strong default like today and just create an option to opt-out. Feel free to send a PR @dmit4git

[github-actions]

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.