3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-07 11:58:12 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: validate origin of signout (#1876)

Browse source 
* authenticate: validate origin of signout

- add a debug task to kill envoy
- improve various function docs
- userinfo: return "error" page if user is logged out without redirect uri set
- remove front channel logout. There's little difference between it, and the signout function.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
bobby 2021-02-11 21:37:54 -08:00 committed by GitHub
parent 9fd58f9b8a
commit c3e3ed9b50
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 174 additions and 182 deletions
Download patch file Download diff file Expand all files Collapse all files

23
docs/docs/topics/single-sign-out.md
View file

@ -1,6 +1,8 @@
---
title: Single Sign-out
description: This article describes Pomerium's support for Single Sign-out according to OpenID Connect Front-Channel Logout 1.0.
description: >-
This article describes Pomerium's support for Single Sign-out according to
OpenID Connect Front-Channel Logout 1.0.
---
# Single Sign-out
@ -23,4 +25,21 @@ To find out if your identity provider (IdP) supports Front-Channel Logout, have
### Configuration
You need to register a `frontchannel_logout_uri` in your OAuth 2.0 Client settings. The url gets handled by the Authenticate Service under the path `/.pomerium/frontchannel-logout` (e.g `https://authenticate.localhost.pomerium.io/.pomerium/frontchannel-logout`).
You need to register a `frontchannel_logout_uri` in your OAuth 2.0 Client settings. The url gets handled by the Authenticate Service under the path `/.pomerium/sign_out` (e.g `https://authenticate.localhost.pomerium.io/.pomerium/sign_out`).
### The endpoint
See Pomerium's `/.well-known/pomerium` endpoint for the sign-out page's uri. For example,
```json
{
"authentication_callback_endpoint": "https://authenticate.localhost.pomerium.io/oauth2/callback",
"jwks_uri": "https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json",
"frontchannel_logout_uri": "https://authenticate.localhost.pomerium.io/.pomerium/sign_out"
}
```
Note, a CSRF token is required for the single sign out endpoint (despite supporting `GET` and `POST`) and can be retrieved from the
`X-CSRF-Token` response header on the well known endpoint above or using the `_pomerium_csrf` session set.

4
docs/docs/upgrading.md
View file

@ -9,6 +9,10 @@ description: >-
## Breaking
### Sign-out endpoint requires CSRF Token
The frontchannel-logout endpoint will now require a CSRF token for both `GET` and `POST` requests.
### User impersonation removed
With the v0.13.0 release, user impersonation has been removed.