When the OIDC endSession endpoint is called, the user's session is terminated, but no post authentication plugin (PAP) onLogout processing is invoked.
- Create a hosted SP and IdP on two OpenAM instances
- Created an Auth Chain using the SAML2 Authentication module as explained in the following article https://backstage.forgerock.com/knowledge/kb/article/a88521204
- Created an OIDC Provider in the top level realm of the SP.
- Created an OAuth2 agent/client, with id myClientID and password secret. Add scopes of profile and openid.
- Install OpenID sample application, configure common.js to set the server url, top level realm, above client details.
- Navigate to openid home page, then select Basic Flow.
- Add to OAuth2 client the redirect uri specified on the openid page above.
- At the SP, login to OpenAM chain with demo user using the following example. http://host2.example.com:8080/openam/XUI/#login?service=testChain. Verify that the user is prompted to login and after doing this successfully, reaches the user profile page on the SP.
- Use basic flow of openid application in same browser window. Verify that the user is prompted for authorization and that the callback page is reached showing the id_token details.
- In same browser window, terminate the session using the following url (or similar): http://host2.example.com:8080/openam/oauth2/connect/endSession?id_token_hint=<id_token>&post_logout_redirect_uri=https://www.google.com
- Repeat step 8.
Call the AM logout endpoint instead. If it is desired to include a goto parameter, then this workaround will work once once
OPENAM-12553 is resolved.