Unable to logout a federation user using Kong oidc plugin in kubernates

1

Unable to logout a federation user using Kong oidc
I have configured okta idp
When I logout federation user and try to login back it let me in with out password it seems user session already active how to logout the user
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: {{ .Values.kongPlugin.oidcKongPluginName }}
plugin: openid-connect
config:
auth_methods:

  • password
  • client_credentials
  • authorization_code
  • bearer
  • introspection
  • kong_oauth2
  • refresh_token
  • session
    authorization_cookie_name: authorization
    cache_introspection: true
    cache_tokens: true
    cache_user_info: true
    client_arg: client_id
    client_id: {{ .Values.kongPlugin.clientId }}
    client_secret: {{ .Values.kongPlugin.clientSecret }}
    consumer_by:
  • username
  • custom_id
    http_version: 1.1
    id_token_param_type:
  • query
  • header
  • body
    issuer: {{ .Values.kongPlugin.issuer }}
    redirect_uri: {{ .Values.kongPlugin.redirectUri }}
    jwt_session_claim: sid
    leeway: 0
    login_action: upstream
    login_methods:
  • authorization_code
    login_redirect_mode: fragment
    login_tokens:
  • id_token
    logout_methods:
  • POST
  • DELETE
  • GET
    logout_query_arg: logout
    logout_redirect_uri:
  • {{ .Values.kongPlugin.logoutRedirectUri1 }}
  • {{ .Values.kongPlugin.logoutRedirectUri2 }}
    logout_revoke: true
    #end_session_endpoint: ?
    #revocation_endpoint : https://xxxx.oktapreview.com/oauth2/v1/revoke
    logout_revoke_access_token: true
    logout_uri_suffix: _logout
    keepalive: true
    response_mode: query
    reverify: false
    scopes:
  • openid
    session_cookie_name: session
    session_cookie_lifetime: 1860
    ssl_verify: false
    timeout: 10000
    upstream_access_token_header: authorization:bearer
    upstream_user_info_header: x-userinfo
    verify_claims: true
    verify_nonce: true
    verify_parameters: false
    verify_signature: false
2

@bungle is our SME on OIDC. Aapo, any thoughts?

3

Yes, I think in that Okta is federated with other IdP and when Kong does RP-initiated logout on Okta, the Okta does not pass it to third party, and user still holds session with 3rd party IdP. Also I don’t think Okta passes authorization parameters like prompt=login if given to 3rd party IdP when Kong gives it first to Okta. Not sure if there are settings in Okta where you can forcefully add prompt=login. The flow happens, the user just doesn’t see it as the 3rd party IdP just sees the session and gives auth code back without asking credentials. I think Kong already does as much as it can, but it cannot force parameters that Okta uses, unless there is some other way that I do not know about.