https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #12 from David Cook <dcook@prosentient.com.au> --- (In reply to Alexander Wagner from comment #10)
In our system we use OIDC as authentication and this works fine. However, it is an SSO login that will also open up quite a few other web services like mail etc. Therefore, we believe that a logout from Koha should also initiate a logout at the IdP. Otherwise, the user sees a successful logout but in fact you can still happily open up any other service (and even koha) again without authentication.
Therefore, I tried to work on this bug but was not able to really solve the issue.
AFAIS it is necessary to enhance `checkauth()` in `Auth.pm` in the `if ($logout) { }` branch and call the relevant logout-url there. This logout-url requires an `id_token` and/or `oidc_stat` that is passed on during login. But I do not understand how to pass these tokens on from the login functions properly. It seems that `Koha::REST::V1::Client` gets the necessary tokens when `login()` returns and they should go with the `$session` from there on. So I could retrieve them during logout and pass them on in the logout url. But there is some magic beyond my limited powers involved.
Depends if you're doing front channel or back channel logout. Front channel logout is very easy because you just redirect to the IdP's end session endpoint. That's what I implemented 12 years ago when I wrote my own OIDC implementation. Unfortunately, it wasn't accepted into Koha, and so I abandoned that in favour of the community version despite its limitations. It's really not too hard to do. It just hasn't been a priority for me... lots of other things taking my attention. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.