Sso logout uses different endpoint #4949
Description
Stratos Version
4.4.0 release
Frontend Deployment type
- Cloud Foundry Application (cf push)
Backend (Jet Stream) Deployment type
- Cloud Foundry Application (cf push)
Expected behaviour
Sso logout should probably use same endpoint as sso login.
Actual behaviour
When SSO is activated, login uses /sso_login which in method initSSOlogin in file authuaa.go redirects to p.Config.ConsoleConfig.AuthorizationEndpoint
Logout uses /sso_logout which in method ssoLogoutOfUAA also in file authuaa.go redirects to p.Config.ConsoleConfig.UAAEndpoint.
I think, this should be redirected to same endpoint.
Can i ask, why are there two endpoints, which looks like it should be same? I have noticed this because in our test cf enviroment somebody configured authorization_endpoint to https://login.something and token_endpoint to https://uaa.something, which both points to the same Uaa, but due different domains, user is never logged out from login domain (browser flow cookies).
Also, I didn't find anywhere in docs, that there must be logout in SSO_OPTIONS enviroment atribute, to activate sso logout, and if SSO_ALLOWLIST is used, it must contain logout too, because only logout and not full url is used as state in callback after logout - this is probably bug too.