back-channel logout - SID handling

[asdflkampiueowrsdhjfk]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

I upgraded authentik to 2025.8.0 and wanted to use back-channel logout with user_oidc.

According to docs I set Back-channel Logout URI in authentik to https://[censored].de/apps/user_oidc/backchannel-logout/[censored] .

However, this setup did not seem to work as expected and errored out.

[index] Error: OCA\UserOIDC\Db\SessionMapper::findSessionBySid(): Argument #1 ($sid) must be of type string, null given, called in /var/www/html/custom_apps/user_oidc/lib/Controller/LoginController.php on line 784 in file '/var/www/html/custom_apps/user_oidc/lib/Db/SessionMapper.php' line 53
	POST /apps/user_oidc/backchannel-logout/[censored]
	from 10.5.0.1 by -- at 20.08.2025, 21:40:19

To reproduce: Configure authentik with user_oidc, enable back-channel logout, trigger logout from provider → see error

After having a look at the pull request for back-channel logout, I noticed in authentik/providers/oauth2/tasks.py that the jwt for the logout token does not seem to contain a session id.

According to specification the SID parameter is optional.

However, user_oicd seems to require it and throws an exception if it does not receive it. method

If I understand the spec correctly, the expected behavior for user_oicd would be to end all sessions for that sub, which would not be expected behavior from user perspective. Please correct me, if I am wrong.

Expected: user_oicd should end all sessions for a sub, if no sid is found and maybe log a warning.
Actual: if the logout token does not contain an sid, user_oidc throws and no sessions are terminated.

Relevant info

authentik 2025.8.0 via docker compose behind traefik.
nextcloud 31.0.8
user_oicd 7.3.1

Additional context

I also created an issue at authentik

Server configuration

Web server: Apache

Database: mysql

PHP version: 8.3.24

Nextcloud version: 31.0.8

List of activated apps

Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - calendar: 5.3.9
  - calendar_resource_management: 0.9.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - collectives: 3.1.1
  - comments: 1.21.0
  - contacts: 7.2.5
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.2
  - external: 6.0.2
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_antivirus: 6.0.3
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - forms: 5.1.2
  - groupfolders: 19.1.3
  - impersonate: 2.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - mail: 5.3.1
  - nextcloud_announcements: 3.0.0
  - notes: 4.12.3
  - notifications: 4.0.0
  - notify_push: 1.2.0
  - oauth2: 1.19.1
  - ocs_api_viewer: 1.0.10
  - password_policy: 3.0.0
  - photos: 4.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - richdocuments: 8.7.3
  - secrets: 2.1.2
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - socialsharing_email: 3.3.0
  - spreed: 21.1.3
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - tasks: 0.16.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_oidc: 7.3.1
  - user_retention: 1.14.1
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0

Nextcloud configuration

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***",
            "localhost"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.8.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "loglevel": 2,
        "app_install_overwrite": [],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": true,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "maintenance": false,
        "upgrade.disable-web": true,
        "config_is_read_only": false,
        "maintenance_window_start": 2,
        "has_internet_connection": true,
        "sharing.force_share_accept": false,
        "sharing.enable_share_mail": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "default_language": "de",
        "default_locale": "de_DE",
        "reduce_to_languages": [
            "de",
            "de_DE",
            "fr",
            "en"
        ],
        "default_phone_region": "DE",
        "default_timezone": "Europe\/Berlin",
        "hide_login_form": true,
        "allow_user_to_change_display_name": false,
        "auth.webauthn.enabled": false,
        "enrich_login_id_token_with_userinfo": true,
        "session_lifetime": 28800,
        "auto_logout": true,
        "session_relaxed_expiry": true,
        "session_keepalive": true,
        "skeletondirectory": "\/skeleton",
        "templatedirectory": "\/templates",
        "simpleSignUpLink.shown": false,
        "logo_url": "***REMOVED SENSITIVE VALUE***",
        "files.trash.delete": false,
        "trashbin_retention_obligation": "5, auto",
        "versions_retention_obligation": "auto",
        "knowledgebaseenabled": true,
        "knowledgebase.embedded": true,
        "enable_previews": true,
        "preview_concurrency_new": 4,
        "enabledPreviewProviders": [
            "OC\\Preview\\BMP",
            "OC\\Preview\\GIF",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\Krita",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\MP3",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\PNG",
            "OC\\Preview\\TXT",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\PDF",
            "OC\\Preview\\SVG"
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "filelocking.ttl": 3600,
        "activity_expire_days": 180,
        "forbidden_filename_basenames": [
            "con",
            "prn",
            "aux",
            "nul",
            "com0",
            "com1",
            "com2",
            "com3",
            "com4",
            "com5",
            "com6",
            "com7",
            "com8",
            "com9",
            "com\u00b9",
            "com\u00b2",
            "com\u00b3",
            "lpt0",
            "lpt1",
            "lpt2",
            "lpt3",
            "lpt4",
            "lpt5",
            "lpt6",
            "lpt7",
            "lpt8",
            "lpt9",
            "lpt\u00b9",
            "lpt\u00b2",
            "lpt\u00b3"
        ],
        "forbidden_filename_characters": [
            "<",
            ">",
            ":",
            "\"",
            "|",
            "?",
            "*",
            "\\",
            "\/"
        ],
        "forbidden_filename_extensions": [
            " ",
            ".",
            ".filepart",
            ".part"
        ],
        "data-fingerprint": "***REMOVED SENSITIVE VALUE***",
        "remember_login_cookie_lifetime": "0",
        "htaccess.IgnoreFrontController": true
    }
}

Browser

Browser name: Firefox

Browser version: 141.0.3

Operating system: Arch Linux

[julien-nc]

Thanks for reporting this and giving so many details.
This is fixed in #1184. It would be awesome if you could give it a try. I think you can patch user_oidc v7.3.1 with https://patch-diff.githubusercontent.com/raw/nextcloud/user_oidc/pull/1184.patch .

I tested with Keycloak:

• "logout" a single session in Keycloak -> it sends the SID and the SUB in the logout token. All good, the session is killed in Nextcloud
• "logout all sessions" in Keycloak -> it sends the SUB in the logout token. All the Nextcloud session created by user_oidc and related with this sub are killed.

[asdflkampiueowrsdhjfk]

Applied your patch and tested.
"reqId": "[censored]", "level": 0, "time": "2025-08-22T12:33:27+00:00", "remoteAddr": "10.5.0.1", "user": "--", "app": "user_oidc", "method": "POST", "url": "/apps/user_oidc/backchannel-logout/[censored]", "message": "Backchannel logout error. nothing found with sub+iss ; No session found with sub+iss", "userAgent": "authentik@2025.8.0", "version": "31.0.8.1", "data": { "app": "user_oidc" }, "id": "[censored]" }

No session seem to be invalidated. Authentik did only send a SUB

[julien-nc]

Could you run these SQL queries?

SELECT * FROM oc_user_oidc_sessions WHERE sub="LOGOUT_TOKEN_SUB" AND iss="LOGOUT_TOKEN_ISS";
SELECT * FROM oc_user_oidc_sessions WHERE sub="LOGOUT_TOKEN_SUB";

Replace LOGOUT_TOKEN_SUB and LOGOUT_TOKEN_ISS by the values of the last logout token that was printed in the logs (Parsed the logout JWT payload:...). You need a loglevel of 0 in config.php for this log to appear.

I suspect that the ISS in the logout token is different than the one we stored (the one from the login token). Let's check that.

[asdflkampiueowrsdhjfk]

the ISS does match, except being escaped.
However, the issue seems to be in the SUB.
I configured authentik to send a sub based on the username. This is also correctly reflected in oc_user_oidc_sessions
However, the logout jwt seems to contain a different sub. As it seems, there is a bug on authentiks side, which sends a hashed sub for logout and thus ignoring the set preference.

This seems to be fixed with goauthentik/authentik#16295 but I did not test that.

[julien-nc]

Thanks for the feedback. I'm pretty confident with my PR. I'll wait for a review and merge soon-ish.

[asdflkampiueowrsdhjfk]

did just test, it works with authentiks patch as expected.

Thank you <3

[julien-nc]

Thank you for the feedback. PR is merged and will be included in the next release.