Cannot log out when OpenID Connect is set up

[zbalkan]

Wazuh	Elastic	Rev	Security
4..9	Wazuh-Indexer	N/A	Basic

Browser
N/A

Description
When OIDC is set up, the logout action redirects to https://hostname/logout page without any redirection and actually logging out of OIDC provider. So, when a user logs in, there is no way to log out.

Preconditions

1. Install Wazuh 4.3.9 using Wazuh-Indexer and Wazuh-Dashboard.
2. Have a OIDC Provider, e.g. Keycloak.
3. Set up OpenID Connect according to the documents OpenSearch documents.

Steps to reproduce

1. Log in to Wazuh using OpenID Connect SSO.
2. Click on 'Logout'

Expected Result

1. Redirect to http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri, where encoded redirect URI is the encoded format of https://hostname/app/login: https%3A%2F%2Fhostname%2Fapp%2Flogin.
2. Log out of the session by the use of redirection.
3. Display Wazuh login page.

Actual Result

1. Redirects to https://hostname/logout and gets HTTP 404 Not Found result.

Screenshots

Sample Wazuh SSO login screen using Keycloak

Logging out

Logout result
Additional context

• There is a similar issue related to logout created in April.
• When you look at the code for logging out, there is no mention of handling those kinds of requests.

[gdiazlo]

Thanks for reporting this @zbalkan we're fixing this also for SAML in #4779, I believe the same fix will apply to all the auth methods which differ from the internal one.

[zbalkan]

Hi @gdiazlo ,

I see that the related PR uses Keycloak. Will there be a Keycloak SSO documentation for SAML and OIDC?

[zbalkan]

Another question. Does the merged PR handles logout for Wazuh session or for SSO provider? Because the latter would mean that unintentionally, user can log out of the SSO provider.

[AlexRuiz7]

Solved together with #4779