In Google/Social land, this is something that would need to be taken into consideration I think, but most customers would also be brokering out to other OIDC/IDM providers most commonly I would imagine, so we need to cater for these, as not having SSO logout functionality will be brought up in a pentest as an issue. There is a section on how to test SSO based logouts here -
([OTG-SESS-006|https://www.owasp.org/index.php/Testing_for_logout_functionality_(OTG-SESS-006)])
Maybe this requires further spiking? I'm not sure if this is ready to tackle, as we would need to see how we would even get the 3rd party IDP logout endpoint, given that Keycloak is sitting in front. WDYT? |
|
