Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key โ†’
โ† Back to dashboard
clawsmith.com/signal/oauth2-proxy-backchannel-logout
โš  IssueWide Opendev_tool_cliLive

oauth2-proxy has no backchannel logout endpoint making SSO sign-out unreliable across browsers

oauth2-proxy implements only front-channel logout (redirect-based). Cross-browser restrictions in Safari and Firefox block cross-domain cookies, so a front-channel IdP logout redirect cannot clear oauth2-proxy sessions in those browsers. OIDC backchannel logout (RFC-based server-to-server POST) is the only reliable mechanism. The issue has been open since 2021. Wonderwall (27 stars) is a full K8s OIDC RP sidecar and a fundamentally different product; it does not function as a targeted backchannel logout receiver for an existing oauth2-proxy Redis session store.

Product Idea from this Signal

A companion service that adds OIDC backchannel logout handling in front of oauth2-proxy

101 โ–ฒ

oauth2-proxy has no OIDC backchannel logout endpoint. When an IdP (Keycloak, Authentik, Okta, Azure AD) triggers a global sign-out and POSTs a logout token to registered clients, oauth2-proxy has nowhere to receive it. Sessions in other browsers or tabs stay alive until they expire naturally, breaking the security guarantee that SSO sign-out provides. This companion service sits in front of oauth2-proxy, exposes the OIDC backchannel logout endpoint, validates incoming logout tokens (JWT, sub/sid claims, nonce-less, event claim), and evicts the matching session from the shared Redis session store that oauth2-proxy already uses. No changes to oauth2-proxy are required. It registers itself with the IdP as the backchannel logout URI, listens for POSTs, and purges the Redis key whose prefix and structure match oauth2-proxy's session key format. The result is cross-browser, cross-device, near-instant session invalidation on SSO sign-out, which is the behavior engineers expect but oauth2-proxy has not shipped in four-plus years of open issues.

oidcoauth2-proxyssobackchannel-logoutkeycloakauthentikredissession-managementgolangself-hosted
Competitive1 leadsView Opportunity โ†’

Score Breakdown

GitHub
101

Social Proof 1 sources

GH
Support OIDC backchannel logout
NickMRamirez ยท 6/1/2021
101

Gap Assessment

Wide OpenNo dedicated solution exists

Open since 2021; labeled 'help wanted'; front-channel-only logout is broken on Safari/Firefox due to cookie restrictions; no standalone backchannel logout sidecar exists for oauth2-proxy Redis sessions

Virality Score
101
across 0 platforms
Details
Signalissue
Ecosystemdev_tool_cli
Sources1
Platforms0
Updatedunknown
Trendโ†’ stable
Top ideas
All ideas โ†’
0A web app and Figma plugin that binds relative line-height values to type-scale variables and keeps them in sync across a design system0A web app that pulls ClickUp logged time entries and renders a real capacity and overload view per person0A web app and API service that computes Jira agile metrics from the issue API and exposes velocity, burndown, and sprint report data via stable developer-facing endpoints
Related signals
All signals โ†’
161oauth2-proxy supports only one provider at a time with no multi-provider routing