Foundry OAuth when using OSDK : Logout issue

Hi there !

We’re using foundry as a backend for some client apps.

When trying to implement a logout, I’ve found the following endpoint:

/multipass/api/logout

Unfortunately, this endpoint doesn’t handle redirections as per OpenID Connect’s standards (for example using post_logout_redirect_uri).

This leaves the user with a browser page that never closes, which is less than ideal especially on native mobile apps.

Is this something that could be implemented ? If not, is there any way around this currently ?

Thanks a lot !

2 Likes

Hi!

Are you able to share the request the client app is making to Foundry and the response it is receiving?

Thanks for replying !

Um it’s all quite fast browser-based redirections so I don’t really have much as it’s happening outside the app.

Here’s how it goes:

  • Client (mobile) app opens a browser window with foundry_url/multipass/api/logout
  • This then redirects to https://auth.patient1st.ai/.../logout (which is our configured identity provider)
  • Which after successfully logging out redirects to foundry_url/multipass/goodbye

Since there’s no redirection back to the app (as it appears that the initial endpoint doesn’t accept any post logout redirect uri), the browser window stays open on top of the app.

Everything is happening in a browser the app opens not much info about the exact payloads (unless I setup some kind of proxy tool to inspect traffic, but hopefully there’s no need to :laughing:)

This is helpful, thank you! Indeed this is a non-ideal UX, thanks for putting it on our radar!

Unfortunately, as you mentioned, the end of the OIDC session will always be followed by a redirect to multipass/goodbye and there is currently no work-around in foundry - the client would need to manage the logout window somehow.

My pleasure !

I have a few workarounds in mind such as using timeouts to close the opened window, etc.
But I’d like to avoid implementing them as it might creates some issues specially on iOS devices (mobile context).

Do you think that a post_logout_redirect_uri (as per OIDC standards - link in my initial post) can be implemented on Foundry’s side in the foreseeable future ?

Thanks a lot !

Just to clarify, based on my understanding of the specs you linked, the RP (in this case foundry/multipass) will call the OP’s (OpenID Provider) logout endpoint withpost_logout_redirect_uri set to the foundry goodbye page. This is all working as expected.

The FR we’re tracking is a custom goodbye page which would definitely help developers. Unfortunately, we are not planning to implement this in the near future.

Um what I’m suggesting is making the /multipass/logout endpoint accept a post_logout_redirect_uri (which can default to the goodbye page). And if present, redirect to it instead of the goodbye page.

Because for now we can’t really implement a logout in our mobile apps, which can be an issue for our users :confused: