What happened?
I used auth0 as the IdP with simple flow like this :
client → pomerium → auth0 (IdP)
When i tried to do signout in the https://external-url/.pomerium/sign_out
It does not sign out from auth0.
Does auth0 support front-channel logout or this is not supported? Because i only see back-channel logout in auth0 docs. And i don’t see back channel logout in pomerium docs so it is quite confusing.
Is there another workaround ? I want to achieve single signout so auth0 will be logged out as well when we logged out from pomerium.
What did you expect to happen?
The auth0 will be logged out as well
What’s your environment like?
-
Pomerium version (retrieve with
pomerium --version
):
{“level”:“info”,“config_file_source”:“/pomerium/config.yaml”,“bootstrap”:true,“envoy_version”:“1.25.5+b1095c058415dfb2261e695a0f144311a7dc346b6eb47ecbb0a01b7de2c7299f”,“version”:“0.23.0-1693234251+5a4acc5c”,“time”:“2023-09-12T15:18:28Z”,“message”:“cmd/pomerium”} -
Server Operating System/Architecture/Cloud:
What’s your config.yaml?
config.yaml
authenticate_service_url: https://auth.dev
routes:
- from: 'https://test.dev'
to: 'https://httpbin.org/get'
allow_any_authenticated_user: true
cors_allow_preflight: true
set_request_headers:
x-pomerium-idp-id-token: ${pomerium.id_token}
x-pomerium-idp-access-token: ${pomerium.access_token}
x-pomerium-client-cert-fingerprint: ${pomerium.client_cert_fingerprint}
pass_identity_headers: true
cookie_secret: xxxxx
# Relative file location for a single cert
certificate_file: '/etc/data/cert/fullchain.cer'
certificate_key_file: '/etc/data/cert/*.pom.dev.key'
signing_key: XXXXXXX
frontchannel_logout_uri: 'https://test.dev'
signout_redirect_url: 'https://google.com'
idp_provider: 'auth0'
idp_provider_url: 'https://xxx.auth0.com'
idp_client_id: 'abc123' # from the web application
idp_client_secret: 'secret123' # from the web application
skip_xff_append: true
pomerium_debug: true
set_authorization_header: pass_through
What did you see in the logs?
nothing in particular