• Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • openid-plugin
    • None

      Why this feature: Single logout feature is an optional feature supported by various OpenID providers.

      What does this feature do: When the user logs out of his OpenID endpoint, he also logs out of Jenkins.

      How did I implement: When a user logs out of his openid provider, the openid plugin resets the remember-me cookie and returns an image indicating that it is logged out of jenkins.

      Link to the commit/pull request: https://github.com/jenkinsci/openid-plugin/pull/7

          [JENKINS-23011] [openid-plugin] Add Single Logout feature

          Do you have any reference to the spec of this optional feature anywhere?

          I'm not finding any, and it seems closer to this one but I'd imagine there'd have to be some advertising of this capability from Jenkins to OpenID provider.

          Kohsuke Kawaguchi added a comment - Do you have any reference to the spec of this optional feature anywhere? I'm not finding any, and it seems closer to this one but I'd imagine there'd have to be some advertising of this capability from Jenkins to OpenID provider.

          We have discovered the logout image is actually a implementation detail of the OP (OpenID Provider) we use. Logout doesn't appeared to be covered at all in the OpenID 2.0 Spec (http://openid.net/specs/openid-authentication-2_0.html) so we may be the only use-case for this.

          However, we noticed that "ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY" cookie is used in the other jenkins plugins (such as https://svn.jenkins-ci.org/tags/hudson-/core/src/main/java/hudson/security/SecurityRealm.java). I wonder if in the OpenID Connect spec (http://openid.net/specs/openid-connect-session-1_0.html#RPLogout), if it would be appropriate to reset this cookie.

          Feel free to close this issue, if you think this feature is unnecessary.

          Nirmal Jonnalagedda added a comment - We have discovered the logout image is actually a implementation detail of the OP (OpenID Provider) we use. Logout doesn't appeared to be covered at all in the OpenID 2.0 Spec ( http://openid.net/specs/openid-authentication-2_0.html ) so we may be the only use-case for this. However, we noticed that "ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY" cookie is used in the other jenkins plugins (such as https://svn.jenkins-ci.org/tags/hudson-/core/src/main/java/hudson/security/SecurityRealm.java ). I wonder if in the OpenID Connect spec ( http://openid.net/specs/openid-connect-session-1_0.html#RPLogout ), if it would be appropriate to reset this cookie. Feel free to close this issue, if you think this feature is unnecessary.

          I don't need this to be a part of the official OpenID spec, but I was hoping that this is bit more than a particular implementation detail of a particular OpenID provider.

          Looking at the change, I think my suggestion is that you implement this by writing another plugin that extends from OpenIdSsoSecurityRealm. You should be able to just add your doLogoutImage method in a subtype with a new descriptor, like GoogleAppSsoSecurityRealm.

          I hope that is acceptable with you.

          Kohsuke Kawaguchi added a comment - I don't need this to be a part of the official OpenID spec, but I was hoping that this is bit more than a particular implementation detail of a particular OpenID provider. Looking at the change, I think my suggestion is that you implement this by writing another plugin that extends from OpenIdSsoSecurityRealm . You should be able to just add your doLogoutImage method in a subtype with a new descriptor, like GoogleAppSsoSecurityRealm . I hope that is acceptable with you.

            kohsuke Kohsuke Kawaguchi
            jssnirmal Nirmal Jonnalagedda
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: