Fix logout

Author: lcrilly

README.md

@@ -36,7 +36,7 @@ If a [refresh token](https://openid.net/specs/openid-connect-core-1_0.html#Refre
 
 ### Logout
 
-Requests made to the `/logout` location invalidate both the ID token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication.
+Requests made to the `/logout` location invalidate both the ID token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication. Note that the IdP may issue cookies such that an authenticated session still exists at the IdP.
 
 ## Installation
 
@@ -157,6 +157,10 @@ Any errors generated by the OpenID Connect flow are logged in a separate file, `
     * Check the error log `/var/log/nginx/oidc_error.log` for JWT/JWK errors.
     * Ensure that the JWK file (`$oidc_jwt_keyfile` variable) is correct and that the nginx user has permission to read it.
 
+  * **Logged out but next request does not require authentication**
+    * This is typically caused by the IdP issuing its own session cookie(s) to the client. NGINX Plus sends the request to the IdP for authentication and the IdP immediately sends back a new authorization code because the session is still valid.
+    * Check your IdP configuration if this behavior is not desired.
+
 ## Support
 
 This reference implementation for OpenID Connect is supported for NGINX Plus subscribers.

frontend.conf

@@ -20,6 +20,12 @@ keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie
 keyval $request_id $new_session zone=opaque_sessions; # For initial session creation
 keyval $request_id $new_refresh zone=refresh_tokens;  # "
 
+map $refresh_token $no_refresh {
+    "" 1;  # Before login
+    "-" 1; # After logout
+    default 0;
+}
+
 # JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
 proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
 

openid_connect.server_conf

@@ -1,5 +1,5 @@
     location @oidc_auth {
-        if ($refresh_token = "") {
+        if ($no_refresh) {
             # No refresh token so redirect this request to the OpenID Connect identity provider login
             # page for this server{} using authorization code flow (nonce sent to IdP is hash of $request_id)
             add_header Set-Cookie "auth_nonce=$request_id; Path=/; HttpOnly;";  # Random value
@@ -87,14 +87,15 @@
     }
 
     location = /logout {
-        set $session_jwt "-";   # Clear tokens from keyval, set to - to indicate logout,
-        set $refresh_token "-"; #  and so that the new value is propagated by zone_sync.
-        add_header Set-Cookie "auth_token=; HttpOnly;";
-        return 302 "$oidc_logout_redirect";
-        access_log /var/log/nginx/oidc_auth.log main_jwt;
+        set $session_jwt -;   # Clear tokens from keyval, set to - to indicate logout,
+        set $refresh_token -; #  and so that the new value is propagated by zone_sync.
+        add_header Set-Cookie "auth_token=; Path=/; HttpOnly;"; # Send empty cookie
+        add_header Set-Cookie "auth_redir=; Path=/; HttpOnly;"; # Erase original cookie
+        return 302 $oidc_logout_redirect;
     }
 
     location = /_logout {
+        # This location is the default value of $oidc_logout_redirect (in case it wasn't configured)
         default_type text/plain;
         return 200 "Logged out\n";
     }