Log out doesn't destroy sso session

Hi there,

We’re playing around with firezone and are pretty happy with it, nice work!

We are facing an annoying behavior, when a user logs out from the firezone WUI after signed in with SSO, the SSO token is still available, so we just need to click on “sign in with [sso provider name]” again and we are authenticated, which can be a security issue, as you think you’re logged out, but you’re not.

Is that a mis-configuration of the keycloak client or an issue in firezone ?

Thanks for your help !

Hi @dlx – Session lifetime is controlled by the OAuth configuration in your IdP, in this case Keycloak. When you log out of Firezone you are indeed clearing your session cookie. You’d need to log out of / clear your session cookie with Keycloak to “completely” log out.

That said, there is a section in the OAuth spec for initiating OIDC logouts from the application using a “logout redirect URI” in the OAuth client configuration, but I’m not sure it’s widely supported. I know Okta and Keycloak support it. Will add to our backlog.

That would be great as it actually doesn’t sign you out for now.

Thanks

Created Add optional logout uri to OIDC configs · Issue #975 · firezone/firezone · GitHub to track