Sign out functionality

[valiafetisov]

Am I understanding correctly, that there is no sign out functionality implemented, since signedOutCallbackPath is marked as Reserved for future use - Not currently used?

• If it's actually implemented, but not documented, can you please explain how it works?
• Otherwise, what is the workaround?

Currently, my understanding is that we need to construct sign out url ourselves, like so:

const signOutCallback = `${baseUrl}/easyauth/signout-callback-oidc`
const signOutUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/logout?post_logout_redirect_uri=${encodeURIComponent(signOutCallback)}`

And then /easyauth/signout-callback-oidc endpoint suppose to remove AzAD.EasyAuthForK8s http-only cookie. And since it's not happening the workaround will be to have our own endpoint which will do that for us (which is still not optimal, since the session is not invalidated)

[jonlester]

You are correct that the sign out is not currently implemented. We wanted to provide some options around the behavior (federated vs cookie only, how this would work with bearer tokens, etc.), but didn't have time in the last iteration. If you can provide some details around how you would want it to behave in your use case, we can take it under consideration.

[valiafetisov]

Thanks for the answer! I assume that there should be a way to invalidate tokens/cookies and remove cached information about the user. An endpoint triggering cookie invalidation+removal for the user themselves will be enough for us at this point.

I also assume it to be core functionality, since currently it's not possible to use EasyAuthForK8s-based auth on a public equipment and in general sounds scary to have no way to invalidate sessions in case of leaks / phishing / user deletion / etc.

Or is there any other implemented way to clear internal user cache?

[valiafetisov]

Any updates here @jonlester?

[jonlester]

No update to share yet.

[jonlester]

Implementation should include federated sign out - redirect back to azure AD to log out of the application as well as deleting the cookie.

[bhakhep]

Is there an update on this? The #91 PR has been open for some time now.