Describe the Bug

We use self-hosted Coder with OpenID Connect byZITADEL v2.55.2 in a lab environment. Multiple scientists use Coder on a shared lab computer. When they log out successfully and are redirected back to the login page, the session is still active at ZITADEL. If a different scientist clicks the "OpenID Connect" button, it will directly redirect them to the dashboard of the previous scientist without prompting for a username and password again.

This behavior is contrary to theOpenID Connect 1.0 Specification, which suggests that the session should be properly terminated. There is a similar issue reported with Keycloak (#8413).

This is not only a security issue; it also hinders the scientists from switching users without admin intervention, greatly impacting the workflow. This increases maintenance and lowers morale. Therefore, this issue concerns basic functionality and is of utmost importance for us to continue using Coder.

Expected Behavior

Once the OpenID Provider (OP) has been identified, the configuration information for that OP should be retrieved in accordance with theOpenID Connect Discovery Specification, including itsend_session_endpoint location.

On 'Sign Out' Coder should redirect the user-agent to theend_session_endpoint. The user should then be redirected to thepost_logout_redirect_uris on the client, which is determined by theid_token_hint or theclient_id as a parameter in the logout request.

References:

• ZITADEL RP Initiated Logout
• OpenID Connect Specification RP-Initiated Logout

Screenshots

The login prompt is missing on the second login because the session isn't logged out correctly.

To Reproduce

Steps to reproduce the behavior:

1. Click on 'Sign in with OpenID Connect'
2. Enter your 'Login Name'
3. Enter your 'Password'
4. Get redirected to 'Coder Dashboard'
5. Go to 'Top Right Corner Menu'
6. Click on 'Sign Out'
7. Get redirected to 'Login Page'
8. Click 'Sign in with OpenID Connect' again
9. See error (Can't switch to another user; instead, auto-logged in with the previous user)

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Google Chrome
• Version: 126.0.6478.127

Additional context

Hi@Yanbin-Fu. I believe Coder's current behavior is in-line with the OIDC spec, it only invalidated Coder's token not the one from the identity provider.

Is there other software that you use with OIDC that will also invalidate the identity provider token when the user logs out? It looks like ittechnically possible for us to do this, but it is not standard.

Originally posted by@bpmct in#8413 (comment)

I do not think this is true. Coder does not supportRP-Initiated Logout, although many other resource servers do.

Many resource servers support this via an optionalCODER_OAUTH2_CUSTOM_LOGOUT_URL variable. If set, the user will be redirected to theOP on logout, which then redirects back to coder viapost_logout_redirect_uri.

Originally posted by@schettn in#8413 (comment)