0

I am very new to OpenID and authentication in general. My problem is the following: our app is served on a apache 2.x server (that is our RP) with the front-end served from the static directory and the back-end if proxied on /api, the OP is a keycloak instance. Overall we managed to get it working but we are struggling to make a logout. The logout is triggered by making a GET request at /redirect_uri?logout=<base-app-uri> (with url-encoding of course). Even though our <base-app-uri> is protected, we would like the default login page to show-up upon logout. When the aforementioned uri is accessed the backend API successfully starts to answer with 401 and the session dissapears in the Keycloak console but the RP does not redirect the user to the login page and continues to serve protected static content. In fact the redirection is achieved only when I delete the mod_auth_openidc_session cookie.

Kipr
  • 806
  • 10
  • 13

1 Answers1

0

I would say it's wrong authentication design. Frontend is SPA app and that static content shouldn't be protected by mod_auth_openidc. It should be whitelisted. Frontend will manage own authentication with Authorization Code Flow + PKCE flow and it appends access token to each API request. SPA (or used SPA lib) handles logout = it deletes local app session cookie(s) and it performs also OIDC logout (redirect to used Identity Provider).

API part is protected correctly.

IMHO also logout with redirect to the login page (I guess Keycloak login form in this case) is not a good user experience. It is better to have a special whitelisted route in the frontend e.g. /bye, where you can inform that logout was succesfull.

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • Thanks for the quick answer Jan, I totally agree with the fact that a `/bye` redirect is better user-experience. As for the authentication flow, we do not have the freedom to change it. In fact, our app used to work without a RP and store the authentication token on its own, but now we were asked to change it. And with the current setting we struggle to achieve clean logout. Our current workaround is to limit the session validity to 10s on the RP so that after the logout the user will eventually get to the login page. – Kipr Jun 22 '21 at 07:48
  • So I would implement "delete mod_auth_openidc_session cookie" in the frontend code - in the logout function – Jan Garaj Jun 22 '21 at 11:31
  • That indeed would be an easy workaround if the cookie was not an "HttpOnly". Which means that I can't delete it using JS. – Kipr Jun 23 '21 at 06:23