Logout flow completion logic in views is SAML-specific
Basics
Logistics
Basics
Logistics
Description
The logic in various places in the logout views that auto-completes the flow with a proceed event is SAML specific based on testing for the flow ID. That was always dumb. We can generalize that by using a signal in the LogoutContext that indicates whether the flow is complete, and the views can be updated to test for that being false to render the hidden frame.
In one case it’s internal in a view fragment, but there’s also two places that will require manual update for 5.1, in order to allow use of the OIDC logout feature in the plugin. It’s a bit messier than is ideal but not much to be done.
TBD in the future if we try to expose the redirect back to the RP as a full-frame thing, but that’s a difficult thing to do as it was with SAML to begin with. We’d need to get the flow to complete and end up offering a link or something, which would not be compliant anyway, so I’m not inclined to worry about it right now.
Added a completed flag in LogoutContext and altered the views to use it. The only visible change is to the logout-complete.vm view, added that to release notes.
The way this was implemented, the flow defaults to "not complete" so there is no change to the SAML or OIDC logout flows. The simple redirect logout flow sets the flag as a signal that it's a different case not needing the final redirect.
The logic in various places in the logout views that auto-completes the flow with a proceed event is SAML specific based on testing for the flow ID. That was always dumb. We can generalize that by using a signal in the LogoutContext that indicates whether the flow is complete, and the views can be updated to test for that being false to render the hidden frame.
In one case it’s internal in a view fragment, but there’s also two places that will require manual update for 5.1, in order to allow use of the OIDC logout feature in the plugin. It’s a bit messier than is ideal but not much to be done.
TBD in the future if we try to expose the redirect back to the RP as a full-frame thing, but that’s a difficult thing to do as it was with SAML to begin with. We’d need to get the flow to complete and end up offering a link or something, which would not be compliant anyway, so I’m not inclined to worry about it right now.