After a user logged into multiple services using uffd as a SSO identity provider, he might eventually click the logout button in one of the services or uffd. The users probably expects to be logged out of uffd as well as all services he logged in to.
SAML would provide a Single-Log-Out (SLO) mechanism, but OAuth2 does not. We could simply revoke all OAuth2 access tokens related to the current session, but the services will not regularly check if their access token is still valid. Other solutions provide services with a session_id attached to the access token that the IdP sends to the service in a server-to-server request on logout. This is not widely supported by services and rather complex to implement.
Probably the simplest way is to make the browser call logout urls for all services.
Logout-URLs for different services:
- Gitlab: POST-Request to /users/sign_out
- Nextcloud: /logout requires CSRF token. Doesn't seem to be possible directly. Maybe implement cookie-clearing in oauthproxy.
- Dokuwiki: GET-Request to /start?do=logout