OpenID Connect Front-Channel Logout

To start with I’d like to say thanks for the recent update, putting OIDC settings in the Djago Admin page is a great help

However I don’t see a way to enable OIDC Front-Channel Logout

Currently a user can sign in using OIDC and when they log out they’re logged out of Kobo. However if they click on the social login option on the login page they’re logged in again. I would expect a redirect to the OIDC provider where they get the option to logout, or similar.

This is a security floor since the user can believe they’ve logged out while letting anyone using the browser to log in again with no authentication

Does anyone here have an idea how to enable this redirect? Failing that back-channel logout, or just anything that doesn’t leave the user thinking they’ve logged out when they haven’t

It’s not just Front-Channel Logout, it’s any kind of social logout

Once the user logs in with OpenID Connect they’re unable to log out of the OIDC provider. They’re able to log out of Kobo which takes them back to the Kobo login screen but the OICD session is still live.

This means that not only can they not log out but another user is unable to log using OIDC in because the first user is still logged in.

django-allauth has the option ACCOUNT_LOGOUT_REDIRECT_URL . This is used in Kobo here which should work for a RP-Initiated Logout but there seems to be no way to influence it.

I’ve tried putting LOGOUT_REDIRECT_URL in both envfile.txt and envfiles/kpi.txt with no luck. I’ve also tried editing runtime_variables_kpi.source.bash with the result that social login breaks altogether. Entering the kpi docker and manually hacking LOGOUT_REDIRECT_URL doesn’t work either.

There’s nothing in the django-allauth OpenID Connect spec that leads me to believe that I can add anything to the django admin > Social applications > Settings field in Kobo.

This seems like a major fail from a usability and security point of view