calling end_session_endpoint directly

[wzrdtales]

According to the readme this is supported, but as we discovered, actually only executing backchannel logout is supported, but not processing.

If a backchannel logout is performed against /session/end, currently it will just respond with the logout confirmation screen. So backchannel logout will effectively fail due to this. Keycloak handles the logout screen in this way, that it shows the screen if no id_token_hint is provided and automatically logs out if id_token_hint is present.

[panva]

Hello @wzrdtales

only executing backchannel logout is supported

That's the full extent of backchannel logout on an authorization server. I don't get where the "only" comes from.

Are you suggesting server-to-server call to the end_session_endpoint? That's not part of the backchannel logout spec and proprietary extensions to standard endpoints are not in scope.

[wzrdtales]

having looked deeper at the code, I don't see a reason why the user-agent is required at all.

node-oidc-provider/lib/models/interaction.js

Line 11 in abdcd95

Object.assign(payload, session.accountId ? {

The accountId is effectively retrieved from the persistence adapter, and without the accountId and data from the persistence adapter the session should be effectively destroyed

[wzrdtales]

A quick test, deleting the key on the persistence layer, does indeed exactly what it should. So why do you think the user-agent needs to be involved? It does not.

[panva]

Just in case it wasn't clear, which I believe it was, I will not be pursuing support for off-spec behaviours. If you want to build a proprietary behaviour endpoint that intakes an artifact and removes other stored models that's fine, but it's just that - proprietary, and resides entirely in your deployment.

So why do you think the user-agent needs to be involved? It does not.

The end_session_endpoint requires the user-agent to be involved so that the OP can clear the browser session state.

That was a general statement for why the specification is the way it is, not necessarily aimed at this particular implementation.

[wzrdtales]

This is fine, we hard forked already. I just had the hope to make your library even better. Thank you for your work.

[panva]

Thank you for the kind words.