-
-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logout not working in Firefox latest version (128.0) #521
Comments
I've just been looking at this too. It appears Firefox has added
This combined with the header check in openidc.lua is preventing it from doing the usual redirect and returning a blank image instead. A workaround would be to override the header for requests to your logout path, eg:
|
@ross211 |
I think that header check is for a different method of triggering logout, probably so you can trigger a logout by calling the logout path from IMO if that behaviour is desired it should be triggered by passing a setting in the options instead of trying to guess based on the header content. |
I agree, it would be nice to have an options to trigger or not this behaviour ;) |
I have run into this issue as well. Seems like this was included since FF v128.0 and was to solve a 3+ yr old bug afaik. https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/128#http I have tested the fix proposed by @ross211 and this does indeed resolve the problem. I guess this could be a workaround because I think at least in my case the returned content-type for logout requests will always be "text/html". I don't know about other use cases though. I would be interested to have one of the maintainers weigh in on the original purpose for this handling of "image/png" in the Accept headers. It looks like this has been in place since v1.1. |
Hi, We are using a kong-oidc plugin that is based on lua-resty-openidc and ran into this issue with the latest firefox update too. As this was not expected, we get a black page with the logout url that just doesn't show anything (renders an "openidc_transparent_pixel" - how weird is this...?) I understand the reasoning behind it, but i think this should rather be a configuration that an implicit assumption that if the client (browser or whatever) set the config, the navigation should be affected directly.. |
hi, Even tho I do not understand this "GET Style logout" 998c7a6 cookies are wiped out only at client-side, an external authorization server will preserve it's sso cookies and you won't ever get logged out, that's why you typically need to perform a complete redirect cycle through every interested actor during a logout. As far as I know OIDC is strongly based on redirects for front-channel and back-channel logout is handled with a POST http method. OIDC standard wise, what is this for? Thank you for your work UpdateAfter some reserach I did come up to where this png comes from, by following the comment on this on mod_auth_openidc
PF stands for PingFederate and it's using a custom, non-standard way to implement single logout for PingFederate SSO products, confirmation came from this comment: Just my two cents on this, if a vendor proposes his own customization of the standard it shouldn't impact any OIDC RFC implementation. |
The code predates my involvement with the project. I believe what Ping Federate did back then was something that could have become a standard - but did not. This must have all happened before the front-channel logout spec has been finalized (it may have been an alternative design). I discussed the issue with some coworkers and short of splitting the paths or removing the functionality completely the best way forward seemed to be proper |
it would be great if anybody of you could give #525 a try |
Environment
Expected behaviour
Logout works in Firefox
Actual behaviour
Logout is not working anymore in Firefox (version 128.0)
It just returns a 200 response instead of a 302. So no redirect happens.
Strangly an image(?!) is returned :
Minimized example
Just doing :
Configuration and NGINX server log files
access.log :
127.0.0.1 - - [16/Jul/2024:15:18:24 +0200] [34bff32f803d305d47feb962e13222c3] "GET /logout HTTP/1.1" 200 79 "http://fr.localtest.com:92/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" 0.000 s (-/-)
error.log :
The text was updated successfully, but these errors were encountered: