Entra ID logout does not work properly

[MichaelGrafnetter]

Hello, I think that I have a discovered a bug while evaluating SysReptor's the Microsoft Entra ID (Azure AD) OpenID Connect SSO.

Current behavior

When I click the Log out button in SysReptor and Azure is selected as the default authentication method, I am immediately logged in again:

It's as if nothing happened, only a couple of back-and-forth redirects.

Expected behavior

I would instead expect to see the following screen:

When accessing SysReptor afterwards, I expected Microsoft's user selector to show up again.

Possible solution

The user should be redirect to the platform's logout URL. I presume that other authentication providers like Google and Keycloak support something similar. In case of Microsoft, the user should be redirected to

https://login.microsoftonline.com/27df604f-0025-47fa-bc0c-8df3d22117fb/oauth2/v2.0/logout

where 27df604f-0025-47fa-bc0c-8df3d22117fb is the Tenant ID. The URL can either be hardcoded or retrieved from the tenant-specific OIDC Discovery endpoint.

Moreover, if Azure Container Apps pre-authentication is used, then the user should be redirected to the /.auth/logout?post_logout_redirect_uri=/projects/ endpoint, which is routed a Microsoft-managed container. This means that the logout endpoint should probably be user-configurable.

I also was not able to configure front-channel or back-channel single logout for SysReptor. If I understand it correctly, for front-channel to work, SysReptor's /api/v1/auth/logout/ endpoint (or another endpoint for this purpose) should accept the GET method instead of just POST.

[MWedl]

Users should not be automatically logged in again after a logout. We will fix this bug by not starting an OIDC login directly after logout. Instead, we will show a list of all available login options (ODIC, password, etc.).

IMO logging the user out of Entra is undesired and unexpected behavior for clicking the logout button in an application to be globally logged out of the ODIC provider and all other applications.

[MichaelGrafnetter]

IMO logging the user out of Entra is undesired and unexpected behavior for clicking the logout button

I understand your concern. But at least some operation must be done with Entra as well, because otherwise the user gets SSO right away, without the option to potentially select a different Entra ID account to log in. So maybe prompt=select_account instead of prompt=login URL parameter during the next redirect to login.microsoftonline.com?

[MWedl]

I understand your problem. It is possible to set prompt by configuring Entra ID as a generic OIDC provider in app.env. See https://docs.sysreptor.com/users/oidc-generic/

AUTHLIB_OAUTH_CLIENTS='{
    "azure": {
        "label": "Microsoft Entra ID",
        "client_id": "OIDC_AZURE_CLIENT_ID",
        "client_secret": "OIDC_AZURE_CLIENT_SECRET",
        "server_metadata_url": "https://login.microsoftonline.com/{OIDC_AZURE_TENANT_ID}/v2.0/.well-known/openid-configuration",
        "client_kwargs": {
            "scope": "openid email profile",
            "code_challenge_method": "S256",
            "prompt": "select_account"
        },
        "reauth_supported": true
    }
}'

[MichaelGrafnetter]

@MWedl Thanks, that would probably solve the issue. Have to test it.