I want the user’s session in my SSO provider to be killed when a user clicks ‘Log Out’, but the current logout redirection feature doesn’t quite fit the bill because I have no way of knowing if the ensuing GET to the logout page was intentional or the result of a low-effort CSRF. (I do consider drive-by logouts from my provider to be a security problem.)
From the perspective of the SSO provider (on the server), I want to authenticate that the user has deliberately ended their Discourse session.
There are two approaches that come to mind:
Add a SSO Secret-signed bearer proof to the URL the user is redirected to.
Allow the SSO provider to query Discourse for the liveness of the user’s session.
My instinct is that the first approach is complicated to get right.
The second might be really easy, depending on how Discourse stores sessions. (I haven’t looked.) Ideally, I could just hit an (authenticated) admin API endpoint with the nonce from the login and find out of the session created from that nonce is alive.
Or you could let the sso provider take the responsibility?
When logging in you also get a ,logouturl=http://mysso/logout.aspx?mypayload=xyz in the sso package.
It’s then up to the provider to decide how he want’s it implemented.
If non-secure a userid in his return url could suffice for him
logouturl=http://mysso/logout.aspx?uid=46732
If encrypted wityh the same secret it could be
logouturl=http://mysso/logout.aspx?sso=xxxxxxx
and up to him if there is a userid or perhaps even login datetime information. But he has already encrypted the sso part when giving it to you so he could even use another secret if he wants. You just return using what was given. I don’t even think there would be a reason to add some expiry datetime info in your direction, just return the stuff if you can catch the logout.
Replaying a logout is more of a nuisance than anything else. Letting the sso provider take the responsibility also meant possible security measures would be taken at that end, at their option.
But ok, why give any possibilities.