Logout not working with Authelia

[mtissington]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Expected behaviour

Logout from nextcloud should also logout of Authelia and then redirect to Authelia login page.
Logout from authelia should logout from all clients (nextcloud, etc)

Actual behaviour

Logout from NextCloud does not logout of Authelia and (seems to or possibly) logs straight back into nextcloud
If I am logged into Nextcloud and from a different browser tab go to https://auth.example.com/logout and then logout from nextcloud it works correctly and I am redirected to the authelia login page.

Server configuration

Web server: Nginx

Database: Maria

PHP version: 8.4

Nextcloud version: (see Nextcloud admin page) 32.0.5

List of activated apps

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

Browser

Browser name: Firefox/Chrome/Safari/…

Browser version: 124/125/…

Operating system: Windows/Ubuntu/Mac/…

Browser log

Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...

nginx and authelia are both installed bare-metal (not docker)

nextcloud registered providers

Client ID
nextcloud
Discovery endpoint
https://auth.example.com/.well-known/openid-configuration
Backchannel Logout URL
https://cloud.example.com/apps/user_oidc/backchannel-logout/Authelia
Redirect URI (to be authorized in the provider client configuration)
https://cloud.example.com/apps/user_oidc/code

nextcloud config.php

  'user_oidc' => 
  array (
    'auto_provision' => true,
    'soft_auto_provision' => true,
    'disable_account_creation' => true, 
    'default_token_endpoint_auth_method' => 'client_secret_post',
    'single_logout' => true,
  ),

Authelia confiuration.yml

definitions:
  user_attributes:
    is_nextcloud_admin:
      ## Expression to evaluate admin privilege for Nextcloud.
      expression: '"nextcloud-admins" in groups'


server: 
  address: tcp://:9091
log:
  level: debug
  file_path: /var/log/authelia/authelia.log
identity_validation:
  reset_password:
    jwt_secret: 'secret'

identity_providers:
  oidc:
    enable_client_debug_messages: true
    hmac_secret: 'secret'
    jwks:
      - key_id: 'cloud'
        use: 'sig'
        algorithm: 'RS256'
        key: |
          -----BEGIN PRIVATE KEY-----

          -----END PRIVATE KEY-----

    claims_policies:
      nextcloud_userinfo:
        custom_claims:
          is_nextcloud_admin: {}

    scopes:
      nextcloud_userinfo:
        claims:
          - 'is_nextcloud_admin'

    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'nextcloud'
        client_name: 'nextcloud'
        client_secret: 'secret'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://cloud.example.com/apps/user_oidc/code'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
        consent_mode: implicit

totp:
  issuer: example.com
  period: 30
  skew: 0
authentication_backend:
  file:
    path: /etc/authelia/users.yml
    password: 
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 512
      parallelism: 2
access_control:
  default_policy: deny
  rules:
    - domain:
      - auth.example.com
      policy: bypass
    - domain:
      - cloud.example.com
      - photos.example.com
      policy: two_factor
session:
  secret: 'secret'
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://auth.example.com'
      default_redirection_url: 'https://cloud.example.com'
      name: 'authelia_session'
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m
storage:
  encryption_key: 'secret'
  local:
    path: /etc/authelia/db.sqlite3
notifier:
  smtp:

[julien-nc]

Could you access the discovery endpoint of authelia and check if it contains the end_session_endpoint key?

#1314 is most likely the same issue.

When logging out of the NC web UI, user_oidc tries to make a request to the end_session_endpoint. If this endpoint's URL is not found in the discovery payload from the provider, we do nothing and the session stays open on the provider side. This is most likely what's happening.

So IMO this is caused by authelia not providing the end_session_endpoint in the discovery payload.

[mtissington]

Hmm, yes, you are correct end_session_endpoint is missing from authelia.