Openid - logout not working

Server
1

We have been using a third party open-id app so far: https://github.com/maltevogl/useroidc
We have tweaked a little the logout function and it has been working fine for us.

We are using owncloud 10.5.0 on Debian 9 and Keycloak as openid provider.
We are testing the transition to the official open-id app.
The login and usage has transferred fine after adjusting a couple of endpoint names, but the logout function doesnt work (same as before we adjusted the current third party openid app we are using)
Could anyone provide some instructions or advice on how to make it work ?
The logout button takes back to the login page but you can then simply click on the open-id login button again to login without entering the credentials.

Steps to reproduce

  1. login owncloud using the open-id login button
  2. logout owncloud

Expected behaviour

user should have to enter credentials after having logged out instead of simply login in by clicking on the openid login button.
This is working fine with the third party openid app but not with the official open-id app

Actual behaviour

User should have to enter credentials after having logged out

Server configuration

Operating system:
Debian 9
Web server:
Apache 2.4.25
Database:
Postgres 9.6
PHP version:
PHP 7.3
ownCloud version: (see ownCloud admin page)
owncloud 10.5
Updated from an older ownCloud or fresh install:
Updated since 10.0.x
Where did you install ownCloud from:
owncloud deb repos

2

in the third party app there was a: ‘end_session_endpoint’ => ‘https://ids.server/auth/realms/company/protocol/openid-connect/logout
in the config file.
When this is invoked before log-out with the official openid app, the log out works and credentials have to be entered when login again.
I didnt find a similar endpoint configuration option in the offical open-id documentation, does anyone know how to configure this ?

3

found some more infos from https://github.com/owncloud/openidconnect
the end_session_enpoint seems to be available, but not called somehow, so still looking…

4

I tried to set this before the end_session_endpoint: // Only required if the OpenID Connect Provider does not support service discovery
‘provider-params’ => [ end_session_enpoint… ],
but that didnt help …

5

someone else seems to have made it work by also adding

'provider-params' => [
            'end_session_endpoint' => 'https://domain-masked.com/oauth2/logout',
],

but that didnt work for me
6

The issue was that some variables for the third party open-id addon where still mentioned in the config file even if they werent used anymore and must have created some confusion for the official open-id addon as it started working fine once all other variables were removed

2 Likes
7

@remd

Hi i am also looking for the same configuration but its not working for me after i added a script in config.php my web page is showing http 599 error. How can i done the configuration in owncloud for Open iD connect login button.Can i get your config.php file

‘openid_connect’ => [
‘displayName’ => ‘Sign In with Google’,
‘provider’ => ‘https://accounts.google.com’,
‘client_id’ => ‘xxxxxx’,
‘client_secret’ => ‘xxxxxx’,
‘scopes’ => array(‘openid’,‘email’,‘profile’),
‘loginButtonName’ => ‘OpenId Connect’
]

8

This configuration works for me:

‘openid_connect’ =>
array (
‘keycloak’ =>
array (
‘displayName’ => ‘xxxx Login’,
‘provider’ => ‘https://ids.xxx.xx/auth/realms/xxxx’,
‘client_id’ => ‘owncloud’,
‘client_secret’ => ‘xxxxxxx’,
‘end_session_endpoint’ => ‘https://ids.xxx.xx/auth/realms/xxxxx/protocol/openid-connect/logout’,
‘keycloak_logout_url’ => ‘https://ids.xxxx.xx/auth/realms/xxxx/protocol/openid-connect/logout?redirect_uri=https://cloud.xxxx.xx/’,
‘post_logout_redirect_uri’ => ‘https://cloud.xxxx.xx/’,
‘scopes’ =>
array (
0 => ‘openid’,
1 => ‘email’,
2 => ‘profile’,
),
),
),

2 Likes
9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.