Wordpress apps OIDC: logout/login security issue

imc67

Suddenly on one of my Cloudrons all Wordpress app got update with the OIDC login method (much sooner than expected!).

However in my opinion (mentioned before) there is still a security issue with your implementation of OIDC: you can log out of Wordpress (or espoCRM) but pressing "Login with Cloudron" right after (or after leaving your computer and someone else is using it) you are immediately logged in again.

For computers that are shared like in a non-profit organization with volunteers this is really an issue!

imc67

There must be a kind of functionality for this: in the Wordpress OpenID Connect Client plugin there is an option:

End Session Endpoint URL
Identify provider logout endpoint.
Example: https://example.com/oauth2/logout

But not filled in, so there must be a way to really logout?

girish

I can see the problem for shared PCs but the right approach for shared PCs is to enable some sort of kiosk mode. Or elaborate use of anonymous mode.

You can try this with wix.com for example:

• Make sure you are logged out of Google/Gmail
• Go to wix.com and sign in with google. You are asked to login with Google credentials in a popup.
• Signout of wix.com
• Click sign in, you are automatically signed in. You will see the Google popup appear and auto-close in this process of sign in.

imc67

This perhaps?
https://openid.net/specs/openid-connect-rpinitiated-1_0.html

humptydumpty

This post is deleted!