kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-11-06 13:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
feature/xwiki-auth-oidc
computer-playbook/roles/web-svc-logout
History
Kevin Veen-Birkenbach 57d5269b07 CSP (Safari-safe): merge -elem/-attr into base; respect explicit disables; no mirror-back; header only for documents/workers 
- Add CSP3 support for style/script: include -elem and -attr directives
- Base (style-src, script-src) now unions elem/attr (CSP2/Safari fallback)
- Respect explicit base disables (e.g. style-src.unsafe-inline: false)
- Hashes only when 'unsafe-inline' absent in the final base tokens
- Nginx: set CSP only for HTML/worker via header_filter_by_lua_block; drop for subresources
- Remove per-location header_filter; keep body_filter only
- Update app role flags to *-attr where appropriate; extend desktop CSS sources
- Add comprehensive unit tests for union/explicit-disable/no-mirror-back

Ref: https://chatgpt.com/share/68f87a0a-cebc-800f-bb3e-8c8ab4dee8ee
2025-10-22 13:53:06 +02:00
..
config
CSP (Safari-safe): merge -elem/-attr into base; respect explicit disables; no mirror-back; header only for documents/workers
2025-10-22 13:53:06 +02:00
filter_plugins
meta
tasks
feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout
2025-10-12 16:16:47 +02:00
templates
feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout
2025-10-12 16:16:47 +02:00
vars
__init__.py
README.md
TODO.md

README.md

web-svc-logout

This folder contains an Ansible role to deploy and configure the Universal Logout Service.

Description

This role sets up the universal logout proxy service, a Dockerized Python Flask container that coordinates logout requests across multiple OIDC-integrated applications. It also configures the necessary Nginx proxy snippets and environment variables to enable unified logout flows.

It solves the common challenge of logging a user out from all connected apps with a single action, especially in environments where apps live on multiple subdomains and use OIDC authentication.

Overview

  • Deploys the universal logout service container based on the official universal-logout GitHub repository.
  • Configures the logout domains dynamically based on application inventory and features using custom Ansible filters.
  • Provides an Nginx /logout proxy configuration snippet that handles CORS and forwards logout requests to the logout service.
  • Supplies a user-friendly logout conductor UI that requests logout on all configured domains and shows live status.
  • Designed to be used as the Front Channel Logout URL for Keycloak or other OpenID Connect providers, enabling a seamless, service-spanning logout experience.

Features

  • Automatic discovery of logout domains from applications with the features.logout flag enabled.
  • Centralized logout proxy that clears cookies and sessions across all configured subdomains.
  • Status page with live feedback on logout progress for each domain.
  • Built-in support for Docker Compose deployment and integration with the Infinito.Nexus ecosystem.
  • Includes security-conscious headers (CORS, CSP) for smooth cross-domain logout operations.

Further Resources

This role is licensed under the Infinito.Nexus NonCommercial License.