OIDC not redirecting to logout url of provider after session time out.

0
We are using the OIDC SSO module v.2.1.1 for login flow. We have configured SessionTimeOut as well. But after session time out, application is not calling OIDC provider logout url or redirecting to OIDC provider login page to re-login. Application is redirected to default login page created in Mendix. This is major issue as per security point of view.  Is there any lifecycle hook to interrupt the after sessionTimeOut to call ACT_Logout microflow of OIDC ? Any other solution to tackle this major security problem ? OIDC SSO Module: https://marketplace.mendix.com/link/component/120371
asked
2 answers
0

Hey,
You may find a custom widget for timeout that contains a trigger action.
Or, You can create an object associated with the session when the user logs in, set a delete behavior "delete this object when the session object is deleted" and create a before delete event handler on this entity that triggers your OIDC logout logic.

answered
0

Hi Pravin,

 

I searched the forum a bit and found this forum post:

https://forum.mendix.com/link/space/app-development/questions/9231

 

It looks like changing the originURI will prevent this behaviour.

https://docs.mendix.com/developerportal/deploy/environments-details/#4223-using-custom-sign-in-pages

 

This will then redirect to the custom signin page. 

 

Or try this suggestion https://forum.mendix.com/link/space/microflows/questions/99927

answered