You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm running a forward auth setup with Traefik, using an embedded outpost and a single application proxy provider. Everything is working great, but I have a question about the best practice for handling logout.
My goal is to have the user click "Logout" in my backend application (running on app.domain.com) and be reliably signed out of their Authentik session (on auth.domain.com). The application provides a "Logout Redirect URL" setting for this purpose.
I've considered two approaches based on the documentation:
The /outpost.goauthentik.io/sign_out Endpoint:
The docs mention this endpoint. My core question is: How is this intended to be used in practice? My application itself cannot resolve this path directly. Do I need to create a rule in Traefik to proxy a path like app.domain.com/logout to this outpost endpoint? Is this the recommended, "clean" approach?
The Direct Invalidation Flow URL:
I also tried setting the app's logout redirect URL directly to my invalidation flow (https://auth.domain.com/flows/-/default/invalidation/). This successfully terminates the Authentik session.
However, for my specific application (a PWA), it leads to a poor user experience on the next launch, as detailed in this GitHub issue I created: open-webui/open-webui#21072
What is the recommended way to implement logout for an application protected by a forward auth proxy provider? I have an issue understanding this architecture 🙂
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I'm running a forward auth setup with Traefik, using an embedded outpost and a single application proxy provider. Everything is working great, but I have a question about the best practice for handling logout.
My goal is to have the user click "Logout" in my backend application (running on app.domain.com) and be reliably signed out of their Authentik session (on auth.domain.com). The application provides a "Logout Redirect URL" setting for this purpose.
I've considered two approaches based on the documentation:
The /outpost.goauthentik.io/sign_out Endpoint:
The docs mention this endpoint. My core question is: How is this intended to be used in practice? My application itself cannot resolve this path directly. Do I need to create a rule in Traefik to proxy a path like app.domain.com/logout to this outpost endpoint? Is this the recommended, "clean" approach?
The Direct Invalidation Flow URL:
I also tried setting the app's logout redirect URL directly to my invalidation flow (https://auth.domain.com/flows/-/default/invalidation/). This successfully terminates the Authentik session.
However, for my specific application (a PWA), it leads to a poor user experience on the next launch, as detailed in this GitHub issue I created: open-webui/open-webui#21072
What is the recommended way to implement logout for an application protected by a forward auth proxy provider? I have an issue understanding this architecture 🙂
Thanks for any help you can provide
Beta Was this translation helpful? Give feedback.
All reactions