I want the user’s session in my SSO provider to be killed when a user clicks ‘Log Out’, but the current logout redirection feature doesn’t quite fit the bill because I have no way of knowing if the ensuing GET to the logout page was intentional or the result of a low-effort CSRF. (I do consider drive-by logouts from my provider to be a security problem.)
From the perspective of the SSO provider (on the server), I want to authenticate that the user has deliberately ended their Discourse session.
There are two approaches that come to mind:
- Add a SSO Secret-signed bearer proof to the URL the user is redirected to.
- Allow the SSO provider to query Discourse for the liveness of the user’s session.
My instinct is that the first approach is complicated to get right.
The second might be really easy, depending on how Discourse stores sessions. (I haven’t looked.) Ideally, I could just hit an (authenticated) admin API endpoint with the nonce from the login and find out of the session created from that nonce is alive.