Nicola Scendoni created SLING-13119:
---------------------------------------
Summary: Implement OIDC Single Logout (SP-Initiated Logout URL) in
Sling OIDC Authentication Handler
Key: SLING-13119
URL: https://issues.apache.org/jira/browse/SLING-13119
Project: Sling
Issue Type: Improvement
Components: Extensions
Reporter: Nicola Scendoni
*Description:*
Enhance the Sling OIDC Authentication Handler to support *OIDC Single Logout
(RP/SP-Initiated Logout)* by implementing the OpenID Connect RP-Initiated
Logout specification.
The goal is to allow Sling (Relying Party) to initiate logout at the OpenID
Provider (OP) and ensure the user session is properly terminated both locally
and at the Identity Provider.
*Scope of Work:*
* Implement support for end_session_endpoint discovery from the OIDC provider
metadata
* Add configuration support for:
** post_logout_redirect_uri
** Optional id_token_hint
* Implement redirect flow to OP logout endpoint
* Ensure local Sling session invalidation before/after redirect (as
appropriate)
* Handle state validation (if applicable)
* Ensure compatibility with existing authentication flows
*Acceptance Criteria:*
* When logout is triggered in Sling, user is redirected to the OP
end_session_endpoint
* OP session is terminated successfully
* User is redirected back to configured post_logout_redirect_uri
* Local Sling session is fully invalidated
* Feature is configurable and backward compatible
* Proper error handling if OP does not expose end_session_endpoint
*Out of Scope:*
* Back-channel logout
* Front-channel logout (iframe-based) unless explicitly required
*Technical Notes:*
* Follow [OpenID Connect RP-Initiated Logout
1.0|https://openid.net/specs/openid-connect-rpinitiated-1_0.html]
* Ensure thread safety and no regression in clustered environments
* Add integration test with a compliant OIDC provider (e.g., Keycloak)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
