Federated logout (OpenID Connect)

[balazsorban44]

Summary of proposed feature

Acces id_token in jwt callback, when idToken: true in a provider's option.

Purpose of proposed feature

Make it possible to start a logout process from a next app using next-auth that will log out from the Identity Provider entirely, if it is OIDC compliant.

Detail about proposed feature

OpenID Connect compliant IdPs (like IdentiyServer4, which is also supported by next-auth) have a federated logout.
To initiate such a logout process, when signOut() is called, next-auth should redirect to https://idp.com/endsession, and forward at least the two following query params:

1. id_token_hint: The original id_token received from the IdP at login.
2. post_logout_redirect_uri: A preconfigured URL in the IdP client, that the IdP should redirect to after a successful logout. This could default to NEXTAUTH_URL, but could be overridden in a provider setting. (Note that the same url must be registered in the IdP client)

Additional optional query params exist, see the relevant spec section

Obtaining the id_token at the initial jwt() callback call would make it possible to preserve it in a session database, or in the jwt token itself.

Potential problems

• According to the JWT callback docs jwt callback has already many parameters, and adding a new idToken would just make it worse. In my opinion should/could be provided as a single object to basically be able to use named params, but that would be a breaking change.

• Setting the id_token in the JWT cookie is kind of an overhead, as the cookie most possibly contains some kind of a mapping of the id_token (name, email, etc.) already. My solution for this would be to not store it in the cookie, but create an in-memory database (just a JS class with key value pairs, where keys are user ids, and each user contains a list of sessions, containing sessions' id_tokens. Hint: The id_token usually contains a sid or Session ID, and timestamps if needed). Adding such an in-memory database should not be required from most of the users though. (Although this could very well be an optional part of next-auth, that could also complement RFC: Limit logins (by concurrency, location) #583 nicely, which I am already working on at work, and some day be able to share it as a PR to next-auth) I am open for suggestions here!

• There is the 4096 bytes cookie size limit in browser, and because of that every extra bytes count, if we cannot somehow divide the data into multiple cookies somehow. (I am no expert on cookies though, so I do not know hard it would be to split/merge cookies)

Describe any alternatives you've considered
I haven't considered alternatives to next-auth as it is generally a high quality full auth solution for Next.js apps, and since it already supports idToken for OIDC compliant IdPs, it would only make sense to leverage that even further.

Additional context
OIDC spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html
Relevant IDS4 documentation: https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html
id_token content: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims

Please indicate if you are willing and able to help implement the proposed feature.

If this is not a problem that can be solved in user land right now, I may be willing to try to implement this and open a PR for it, but before that, I need feedback on how to store the id_token in the jwt callback, with minimal overhead.

So just a TLDR:

If the user provides the idToken: true option as a Provider option, it would be nice to send it as a param to the jwt callback as well. The rest can strictly speaking be implemented by the user for now.

[balazsorban44]

#1024 solved this by passing the idToken to the jwt and signIn callbacks through profile.idToken.

Then you can save the token in the JWT, and reuse it when logging the user out.

For this I created a custom api endpoint:

// /api/auth/federated-logout
import jwt from "next-auth/jwt"
import log from "utils/server-logger"

export default async function federatedLogout(req, res) {
  try {
    const token = await jwt.getToken({req, secret: process.env.SECRET, encryption: true })
    if (!token) {
      log.warn("No JWT token found when calling /federated-logout endpoint")
      return res.redirect(process.env.NEXTAUTH_URL)
    }
    if (!token.idToken)
     log.warn("Without an id_token the user won't be redirected back from the IdP after logout.")

    const endsessionURL = `https://${process.env.PROVIDER_DOMAIN}/connect/endsession`
    const endsessionParams = new URLSearchParams({
      id_token_hint: token.idToken,
      post_logout_redirect_uri: process.env.NEXTAUTH_URL,
    })
    return res.redirect(`${endsessionURL}?${endsessionParams}`)
  } catch (error) {
    log.error(error)
    res.redirect(process.env.NEXTAUTH_URL)
  }
}

And when logging out on the client:

<button onClick={() => window.location.href = "/api/auth/federated-logout"}>
  Sign out
</button>

[balazsorban44]

Reopening, as this has not been fully resolved. We could try to support federated logout for most OIDC compliant providers out-of-the-box.

[Robert-OP]

Hey @balazsorban44 - thanks for opening this issue. I was looking into this as well because I was working on implementing next-auth with Azure AD B2C. In my case in order to sign out, it requires the id_token_hint which I need to attach basically as a query parameter as so

https://${process.env.AUTH_TENANT_NAME}.b2clogin.com/${process.env.AUTH_TENANT_NAME}.onmicrosoft.com/${process.env.USER_FLOW}/oauth2/v2.0/logout?post_logout_redirect_uri=${process.env.NEXTAUTH_URL}/auth/signout&id_token_hin=${id_token_hint}

Basically that is the id_token that I got when signing in and it's stored in the session. Do you know how can I retrieve this token such that I attach it to my request URL above?

Or would it be possible to resolve this in a different way?

Cheers,
Robert

[balazsorban44]

So my current solution for this is using the canary release, where you have the ID token available in the jwt callback (in the account param). I save it in the session cookie, and then I created an api route in Next.js that reads the ID token from the cookie, and sends the logout request from there. Works like charm! only we should make it so that users don't have to do it themselves.