[PR #2553] [MERGED] OpenID: Implement Logout + Fix state + Fix URL Regex #3734

New Issue

Closed

opened 2026-04-25 00:16:51 +02:00 by adam · 0 comments

adam commented 2026-04-25 00:16:51 +02:00

Owner

Copy Link

Copy Source

📋 Pull Request Information

Original PR: https://github.com/advplyr/audiobookshelf/pull/2553
Author: @Sapd
Created: 1/25/2024
Status: ✅ Merged
Merged: 2/18/2024
Merged by: @advplyr

Base: master ← Head: sso

---

📝 Commits (10+)

• 87ebf47 OpenID/SSO: Implement Logout functionality
• f12ac68 /auth/openid: Restructure
• d4ed634 Auth: Store auth_method longer
• edb5ff1 SSO: Remove pick function
• 71b0a5c SSO Settings: Fix Redirect URL Regex
• 82048cd SSO: Also save openid_id_token longer
• c3ba7da Auth: Remove is_rest cookie
• a5c200a Merge branch 'master' into sso
• d7aba56 Remove old login rate limiter
• bf66e13 Update jsdocs

📊 Changes

9 files changed (+180 additions, -431 deletions)

View changed files

📝 client/pages/account.vue (+21 -7)
📝 client/pages/config/authentication.vue (+1 -1)
📝 server/Auth.js (+157 -113)
📝 server/Server.js (+0 -27)
📝 server/SocketAuthority.js (+0 -19)
📝 server/controllers/MiscController.js (+1 -1)
➖ server/libs/expressRateLimit/LICENSE (+0 -20)
➖ server/libs/expressRateLimit/index.js (+0 -196)
➖ server/libs/expressRateLimit/memory-store.js (+0 -47)

📄 Description

Implement OpenID Logout

• The POST Request to /logout will now optionally response with a redirect_url parameter. The client is supposed to follow it if its there (or open it up in a Browser if app).
• The ABS frontend will now redirect to it when supplied.
• For the redirect_url (end-session OIDC url) - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
  • Implemented id_token_hint - actually an optional but recommended parameter. After googling a bit, it seems even some SSO providers also require it for security. On provider like Keycloak when its supplied, the User-Experience is a bit better because it will directly skip the keycloak logout screen and redirect back.
  • post_logout_redirect_uri also implemented, which will simply point to absurl://login. On mobiles it wont be provided bc of high code complexity for that, but the mobile app (or other mobile apps) can simply append &post_logout_redirect_uri=audiobookshelf://login or so to the url if they want optionally. But this URL - if provided - needs to be whitelisted in the SSO provider by the user (often labeled as logout redirect url whitelist).

Btw. if you test it, Authentik does neither implement id_token_hint nor post_logout_redirect_uri currently, the redirect back will always be to the application url configured in Authentik (when you click on "log back in again").

Other changes

• Introduced a new cookie auth_method to store the login method used, such as openid, openid-mobile, local, or api. Actually required for logout but I think we can also use it to make the UX in the app a bit easier as we have now a state of how the current session was logged in.
• Removed is_rest cookie as no longer required.
• If using mobile, the backend now accepts a state parameter if provided. Making it fully compliant with the oauth2 specs. Makes also tests like http://oidcdebugger.com pass against absurl://auth/openid
• Reworked the auth/openid route. This includes removing unused id_token code, implementing parameter sanity checks, and clearly separating the handling of mobile and non-mobile scenarios. Also only support 'S256' challenge (plain is in the oauth2 specs because there was a time when not every device had the ability for SHA256..., but if a device can do SHA256 it needs to use it anyway according to the spec)
• Fixed a bug in the Regex used for validating redirect URLs, subpaths didn't work.

Old app versions work with the changes. Also I tested implementing the logout process in the app, which also works. However the app also needs some revision regarding the UI when changing/editing servers.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/advplyr/audiobookshelf/pull/2553 **Author:** [@Sapd](https://github.com/Sapd) **Created:** 1/25/2024 **Status:** ✅ Merged **Merged:** 2/18/2024 **Merged by:** [@advplyr](https://github.com/advplyr) **Base:** `master` ← **Head:** `sso` --- ### 📝 Commits (10+) - [`87ebf47`](https://github.com/advplyr/audiobookshelf/commit/87ebf4722bd4a614289c9f7524ae4a86be999772) OpenID/SSO: Implement Logout functionality - [`f12ac68`](https://github.com/advplyr/audiobookshelf/commit/f12ac685e8d9cd2284bdb5e08d7abdc1e2552041) /auth/openid: Restructure - [`d4ed634`](https://github.com/advplyr/audiobookshelf/commit/d4ed6348ee598209698e435fe1125a27f13c216d) Auth: Store auth_method longer - [`edb5ff1`](https://github.com/advplyr/audiobookshelf/commit/edb5ff1e33c3bf85c2336ea91af0bc76eb3f3a49) SSO: Remove pick function - [`71b0a5c`](https://github.com/advplyr/audiobookshelf/commit/71b0a5cc818154375a22b5804b2ae49d138cc454) SSO Settings: Fix Redirect URL Regex - [`82048cd`](https://github.com/advplyr/audiobookshelf/commit/82048cd4f3caf8cbb2a15cada47009b072f809f6) SSO: Also save openid_id_token longer - [`c3ba7da`](https://github.com/advplyr/audiobookshelf/commit/c3ba7daa16aced1761a6850ec565b3c8df0d0364) Auth: Remove is_rest cookie - [`a5c200a`](https://github.com/advplyr/audiobookshelf/commit/a5c200ac792551d5d21941af0d384abf30f88124) Merge branch 'master' into sso - [`d7aba56`](https://github.com/advplyr/audiobookshelf/commit/d7aba5629e0cdbb61be283c88b4e6d9f97c5e59b) Remove old login rate limiter - [`bf66e13`](https://github.com/advplyr/audiobookshelf/commit/bf66e13377111c89b22f1d64296fe3065747d078) Update jsdocs ### 📊 Changes **9 files changed** (+180 additions, -431 deletions) <details> <summary>View changed files</summary> 📝 `client/pages/account.vue` (+21 -7) 📝 `client/pages/config/authentication.vue` (+1 -1) 📝 `server/Auth.js` (+157 -113) 📝 `server/Server.js` (+0 -27) 📝 `server/SocketAuthority.js` (+0 -19) 📝 `server/controllers/MiscController.js` (+1 -1) ➖ `server/libs/expressRateLimit/LICENSE` (+0 -20) ➖ `server/libs/expressRateLimit/index.js` (+0 -196) ➖ `server/libs/expressRateLimit/memory-store.js` (+0 -47) </details> ### 📄 Description **Implement OpenID Logout** - The **POST** Request to /logout will now optionally response with a `redirect_url` parameter. The client is supposed to follow it if its there (or open it up in a Browser if app). - The ABS frontend will now redirect to it when supplied. - For the `redirect_url` (end-session OIDC url) - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout - Implemented `id_token_hint` - actually an optional but recommended parameter. After googling a bit, it seems even some SSO providers also require it for security. On provider like Keycloak when its supplied, the User-Experience is a bit better because it will directly skip the keycloak logout screen and redirect back. - post_logout_redirect_uri also implemented, which will simply point to `absurl://login`. On mobiles it wont be provided bc of high code complexity for that, but the mobile app (or other mobile apps) can simply append `&post_logout_redirect_uri=audiobookshelf://login` or so to the url if they want optionally. But this URL - if provided - needs to be whitelisted in the SSO provider by the user (often labeled as logout redirect url whitelist). Btw. if you test it, Authentik does neither implement `id_token_hint` nor `post_logout_redirect_uri` currently, the redirect back will always be to the application url configured in Authentik (when you click on "log back in again"). **Other changes** - Introduced a new cookie `auth_method` to store the login method used, such as `openid`, `openid-mobile`, `local`, or `api`. Actually required for logout but I think we can also use it to make the UX in the app a bit easier as we have now a state of how the current session was logged in. - Removed `is_rest` cookie as no longer required. - If using mobile, the backend now accepts a `state` parameter if provided. Making it fully compliant with the oauth2 specs. Makes also tests like http://oidcdebugger.com pass against `absurl://auth/openid` - Reworked the `auth/openid` route. This includes removing unused id_token code, implementing parameter sanity checks, and clearly separating the handling of mobile and non-mobile scenarios. Also only support 'S256' challenge (plain is in the oauth2 specs because there was a time when not every device had the ability for SHA256..., but if a device can do SHA256 it needs to use it anyway according to the spec) - Fixed a bug in the Regex used for validating redirect URLs, subpaths didn't work. Old app versions work with the changes. Also I tested implementing the logout process in the app, which also works. However the app also needs some revision regarding the UI when changing/editing servers. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

adam added the pull-request label 2026-04-25 00:16:51 +02:00

adam closed this issue 2026-04-25 00:16:51 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.35.1

v2.35.0

v2.34.0

v2.33.2

v2.33.1

v2.33.0

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.0

v1.4.1

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels

authentication

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

pull-request

Mirrored from GitHub Pull Request

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam (Adam Melkus)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/audiobookshelf#3734