Provide backchannel SSO logout endpoint

[col-panic]

Currently pressing Logoff in redmine only closes the redmine session. Optionally a full SSO logoff should be possible.

[picman]

What do you mean with "optionally"?

[col-panic]

At the moment when logging off in Redmine (after logging into it with redmine_oauth) only redmine
is logged out, while the OAUTH2 Session stays open.

There should be a configurable option (just like the don't show password login option) to perform SSO Logout on logging out in Redmine. So that both the redmine session and the SSO session are ended.

[picman]

But OAuth can be used from more than one application. E.g. You log out from Redmine but you don't want to be logged out from Azure too.
I can add a new plugin option, something like "Force log out", or shouldn't be it per user?

[col-panic]

@picman you are right. If you end the session, then you only invalidate the redmine session, and as soon as you click the OpenId login (with a valid openid session) again, you will be logged into redmine again.

You could end the whole SSO session by calling the respective IdP endpoint, but if e.g. Azure is not configured to get the backchannel logout information, then it will stick as is.

So generally - every application after login has its own sesssion cookies running, and its a matter of how deep the specific application adopts SSO to what degree it will honor or prioritize SSO session information to its own session information.

Lets fix the scenario another way round:

You end your SSO session with the IdP directly - so you consider every application you logged in via SSO to end its current session. Maybe this should be the real feature we adopt - supporting backchannel logouts! Here you would have to provide an endpoint which gets called by the IdP telling you to logoff user X.

[picman]

I've implemented 'OAuth logout' if checked out in the settings. Could you test the logout branch please?

[col-panic]

Will check after #36 is integrated (easier ...)

[picman]

Merged into devel.

[col-panic]

What is the "Backchannel logout URL" to configure to Keycloak?

[picman]

I think that you can configure here for example a URL for password change and as soon as a user call a password change, it will log them out. You should leave it empty it shouldn't have anything to do with Redmine logout.

[col-panic]

Thank you @picman for the patch, i have several points/questions to this

1. What does "Update login" effectively do?
2. You implemented a SSO Logoff. That is, if I select the "OAuth logout" option, then I will logoff the SSO Session with Keycloak, which is good, but not the focus of this issue, resp. this is another feature (we should rename the issue for this).
3. Backchannel logout would require an endpoint which is being called by Keycloak to invalidate my existing redmine session. The use-case is: I have a SSO Session with keycloak, and now I logout unter https://keycloak/user - now I want all associated services to respect this logout and make the sessions invalid. Here this would involve, that my redmine session gets invalidated.

[col-panic]

I'm not sure about this at the moment, could we probably move this to 2.2.6 and give it some time to think about?! I could then re-arrange the issues with better descriptions feedback!