kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-10-20 13:05:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
06e4323faa846f2c10058e37ed9cc25955041f51
computer-playbook/roles/web-svc-logout
History
Kevin Veen-Birkenbach a996e2190f feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout 
- sys-front-inj-logout: depend on web-svc-logout (run-once guarded) and simplify task flow.
- web-svc-logout: align feature flags/formatting and extend CSP:
  - add cdn.jsdelivr.net to connect/script/style and quote values.
- Nginx: move CORS config into logout-proxy.conf.j2 with dynamic vars:
  - Access-Control-Allow-Origin set to canonical logout origin,
  - Allow-Credentials=true,
  - Allow-Methods=GET, OPTIONS,
  - basic headers list (Accept, Authorization),
  - cache disabled for /logout responses.
- Drop obsolete CORS var passing from 01_core.yml; headers now templated at proxy layer.

Prepares clean cross-origin logout orchestration from https://logout.veen.world.

Refs: ChatGPT discussion – https://chatgpt.com/share/68ebb75f-0170-800f-93c5-e5cb438b8ed4
2025-10-12 16:16:47 +02:00
..
config
filter_plugins
meta
tasks
templates
vars
__init__.py
README.md
TODO.md

README.md

web-svc-logout

This folder contains an Ansible role to deploy and configure the Universal Logout Service.

Description

This role sets up the universal logout proxy service, a Dockerized Python Flask container that coordinates logout requests across multiple OIDC-integrated applications. It also configures the necessary Nginx proxy snippets and environment variables to enable unified logout flows.

It solves the common challenge of logging a user out from all connected apps with a single action, especially in environments where apps live on multiple subdomains and use OIDC authentication.

Overview

  • Deploys the universal logout service container based on the official universal-logout GitHub repository.
  • Configures the logout domains dynamically based on application inventory and features using custom Ansible filters.
  • Provides an Nginx /logout proxy configuration snippet that handles CORS and forwards logout requests to the logout service.
  • Supplies a user-friendly logout conductor UI that requests logout on all configured domains and shows live status.
  • Designed to be used as the Front Channel Logout URL for Keycloak or other OpenID Connect providers, enabling a seamless, service-spanning logout experience.

Features

  • Automatic discovery of logout domains from applications with the features.logout flag enabled.
  • Centralized logout proxy that clears cookies and sessions across all configured subdomains.
  • Status page with live feedback on logout progress for each domain.
  • Built-in support for Docker Compose deployment and integration with the Infinito.Nexus ecosystem.
  • Includes security-conscious headers (CORS, CSP) for smooth cross-domain logout operations.

Further Resources

This role is licensed under the Infinito.Nexus NonCommercial License.