Render successful login/logout page instead

[HoneyryderChuck]

👋

I've been implementing the OIDC frontchannel logout on rodauth-oauth.

As per the RFC, when a successful logout happens on the OP (the application using rodauth-oauth), the resulting page should include the iframes with src pointing to the set up frontchannel logout uri for each of the relying parties the user was authenticated on using OpenID.

The difficulty of building this feature on rodauth was that a successful logout (as well as login, and other POST routes) is followed by setting a flash message and a redirect request to the set up url. This means that there is no immediate "logout successful" page I can hook to in order to set up the iframes. If you look at the implementation from the link above, I worked around this by setting up a separate flash context, and writing the iframes, to be then rendered in the page of the page where the user is going to be redirected to.

While it works, and it could perhaps be a viable workaround(?), it's a bit more involved than I was hoping for, given that: I'll have to document that the OP application must include the extra flash context in their layouts, and there may be cases where the user may be logged out of the OP origin as a result (and not rendering the layout in the process).

i believe that rodauth's approach is the obvious default, nevertheless, there are cases where one may want the FE to hold on just a bit before redirecting after a login/logout, i.e. have some page in the middle. This could be IMO achieved if rodauth wrapped the instructions in a "${action}_success_response" function, ,that other features could override or enhance. Smth like:

# login.rb
def login
  ...
  login_success_response
end

def login_success_response # auth method?
  set_notice_flash login_notice_flash
  redirect(saved_login_redirect || login_redirect)
end

In this way, the feature I'm building could (for the logout case) do:

# login.rb
def logout
  ...
  logout_success_response
end

# oidc_frontchannel_logout
def logout_success_response
  @iframes = build_logout_iframes

  frontchannel_logout_view
end

Would something like this make sense?

[jeremyevans]

I'm OK with that approach. Can you send a pull request for it?

[HoneyryderChuck]

👍 will do

[janko]

Couldn't you override the after_logout hook and render the iframe response using return_response?

def after_logout
  super
  return_response view("oauth-logout")
end

[jeremyevans]

That works at the app level, but if done as part of another feature, you cannot be sure it is the last code run in the after_logout hook.