Logout from multiple application

Dennis · September 15, 2023, 3:54am

What happened?

Continuing from this thread , because it is not supported custom flow , I did some workaround in which I used redirection to do signout from auth0. So i point the
signout_redirect_url: 'https://xxx.auth0.com/oidc/logout?client_id=xxxx'
so that when i hit https://external-url/.pomerium/sign_out it will be logged out from auth0 also.

So when i visit
https://external-url/ and do login in auth0, it implements the single sign on as expected because when i open https://external-url-2/ , it does not prompt me to do sign in.

But I wonder why when i do sign out it does not work the same way?
So when i hit https://external-url/.pomerium/sign_out , it will be logged out and prompt login if i visit https://external-url/ again. But when i visit https://external-url-2/ it still have the session and does not logged me out.

What did you expect to happen?

It will prompt login from all external url

What’s your environment like?

Pomerium version (retrieve with pomerium --version):
{“level”:“info”,“config_file_source”:“/pomerium/config.yaml”,“bootstrap”:true,“envoy_version”:“1.25.5+b1095c058415dfb2261e695a0f144311a7dc346b6eb47ecbb0a01b7de2c7299f”,“version”:“0.23.0-1693234251+5a4acc5c”,“time”:“2023-09-12T15:18:28Z”,“message”:“cmd/pomerium”}
Server Operating System/Architecture/Cloud:

What’s your config.yaml?

config.yaml

authenticate_service_url: https://auth.dev
routes:
  - from: 'https://test.dev'
    to: 'https://httpbin.org/get'
    allow_any_authenticated_user: true
    cors_allow_preflight: true
    set_request_headers:
      x-pomerium-idp-id-token: ${pomerium.id_token}
      x-pomerium-idp-access-token: ${pomerium.access_token}
      x-pomerium-client-cert-fingerprint: ${pomerium.client_cert_fingerprint}
    pass_identity_headers: true

  - from: 'https://test-2.dev'
    to: 'https://httpbin.org/get'
    allow_any_authenticated_user: true
    cors_allow_preflight: true
    set_request_headers:
      x-pomerium-idp-id-token: ${pomerium.id_token}
      x-pomerium-idp-access-token: ${pomerium.access_token}
      x-pomerium-client-cert-fingerprint: ${pomerium.client_cert_fingerprint}
    pass_identity_headers: true

cookie_secret: xxxxx

# Relative file location for a single cert
certificate_file: '/etc/data/cert/fullchain.cer'
certificate_key_file: '/etc/data/cert/*.pom.dev.key'

signing_key: XXXXXXX

frontchannel_logout_uri: 'https://test.dev'
signout_redirect_url: 'https://xxx.auth0.com/oidc/logout?client_id=xxxx'

idp_provider: 'auth0'
idp_provider_url: 'https://xxx.auth0.com'
idp_client_id: 'abc123' # from the web application
idp_client_secret: 'secret123' # from the web application

skip_xff_append: true
pomerium_debug: true
set_authorization_header: pass_through

What did you see in the logs?

nothing in particular

calebdoxsey · September 15, 2023, 4:29pm

Hi Dennis,

Logging out of a route will not log you out of all the other sessions a user may have with Pomerium. Some routes may share a session (basically if they have the same domain name), in which case it would log you out of all of those routes. But if the routes have separate sessions only one of them will get logged out.

I believe when the IdP logs you out it will revoke the tokens. This means attempting to use the refresh token with the IdP will return an error. In Pomerium we do not have an immediate feedback mechanism from the IdP to know when this happens. So sessions will continue to persist. However when we attempt to refresh the session token, at that point it will fail, and we will delete the corresponding session.

What this means in practice is that the IdP will give us tokens which are valid for a certain amount of time, suppose 1 hour. A user logs out of Auth0, those tokens are revoked, but sessions in Pomerium still work for some time < 1 hour, until we attempt to refresh the token, it fails, then the sessions are deleted, and 1 minute later calls to the authorize service start returning “need to login” errors.

Dennis · September 15, 2023, 4:51pm

How long does it take for pomerium to refresh the token again?
Is it configurable to make the interval to refresh token shorter? Because the guide from auth0 also recommends Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate for logging out from applications

calebdoxsey · September 21, 2023, 4:52pm

I did not see a way in Auth0’s management console to set the access token expiration timestamp used as part of OIDC login. I did see a way to set the refresh token expiration. But it’s the access token’s timestamp that would be used when refreshing sessions. (there is a minute grace period, so we should attempt to refresh the Auth0 session one minute before it times out)

It is possible to set the session expiration in Pomerium using Cookies Settings | Pomerium. After that time has elapsed the user would be logged out regardless of the timestamps on the Auth0 session.

Topic		Replies	Views
Single signout using Front Channel with auth0 Support idp	3	533	September 13, 2023
Second login required when trying to sign_out an active session Support	0	334	July 7, 2022
Self hosted authenticate service Support k8s	6	305	April 10, 2024
Accessing upstream services that require sso Support	5	37	September 11, 2024
Need help with intercepting a 301 redirect Support	7	404	January 26, 2023