vikunja/frontend
kolaente 970f3c3733 fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri
On OIDC logout Vikunja redirected to the configured `logouturl` with no query
parameters, so it never sent `id_token_hint` or `post_logout_redirect_uri`.
RP-Initiated-Logout-compliant providers (e.g. PocketID) then ignored the
post-logout redirect and left the user on the IdP's own login page.

This builds the end-session URL server-side from the OpenID Connect
RP-Initiated Logout 1.0 spec:

- id_token_hint (§2, RECOMMENDED): the ID token previously issued to the
  session. It lets the OP skip the logout-confirmation prompt and is what makes
  the OP honor post_logout_redirect_uri (the OP MAY require it, §3).
- post_logout_redirect_uri (§2, OPTIONAL): where the OP redirects after logout.
  MUST be pre-registered with the OP. Defaults to service.publicurl so the user
  lands back on Vikunja.
- client_id (§2, OPTIONAL): the RP client id; the OP verifies it matches the
  id_token_hint.

The end_session_endpoint is discovered from the provider's discovery document
(§2.1, REQUIRED metadata) and falls back to the static `logouturl` config when
the provider does not publish one.

To replay id_token_hint, the raw ID token (and the provider key) are persisted
on the session at the OIDC callback (new migration adds oidc_id_token /
oidc_provider_key columns to the sessions table). At logout the server reads
them, builds the URL, deletes the session, and returns the URL in the logout
response so the frontend redirects to it.

Security note: the raw ID token is stored at rest in the sessions table
(json:"-", never exposed over the API) and removed when the session is deleted
on logout.

Spec: OpenID Connect RP-Initiated Logout 1.0
https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Fixes #2820
2026-06-19 16:06:26 +02:00
..
docs fix: markdown spelling 2025-06-10 12:10:42 +02:00
originalMedia chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
public feat(time-tracking): add favicon indicator for active time tracking sessions (#2937) 2026-06-18 23:52:52 +02:00
scripts feat: add subsets for all supported languages 2025-08-17 23:11:30 +02:00
src fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri 2026-06-19 16:06:26 +02:00
tests test(time-tracking): add end-to-end coverage 2026-06-08 13:54:09 +00:00
.editorconfig chore(dev): insert final newline 2025-05-23 11:56:50 +02:00
.env.local.example chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
.gitignore feat: use offical vite plugin for sentry (#873) 2026-03-03 12:30:49 +01:00
.npmrc chore(tests): remove Cypress, use Playwright exclusively (#1976) 2025-12-12 20:07:18 +00:00
.nvmrc chore(deps): update node.js to v24.13.0 2026-01-15 09:43:02 +01:00
.stylelintrc.json feat(frontend): upgrade Tailwind CSS from v3 to v4 2026-03-03 11:46:18 +01:00
CHANGELOG.md chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
LICENSE fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
README.md docs(frontend): fix env file example name 2025-06-10 12:10:42 +02:00
cliff.toml chore: move frontend files 2024-02-07 14:56:56 +01:00
embed.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
env.config.d.ts feat(ts): improve module declarations (#957) 2025-06-16 22:32:40 +02:00
env.d.ts chore(tests): remove Cypress, use Playwright exclusively (#1976) 2025-12-12 20:07:18 +00:00
eslint.config.js refactor(frontend): replace for...in usages and forbid via lint rule 2026-04-15 11:44:47 +00:00
histoire.config.ts chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
index.html fix: respect allow_icon_changes config on web and desktop 2026-06-01 09:40:37 +00:00
netlify.toml feat(dev): use proxy server in dev mode (#3069) 2025-03-09 13:40:57 +00:00
package.json chore(deps): bump dompurify from 3.4.9 to 3.4.11 in /frontend 2026-06-18 21:25:47 +00:00
playwright.config.ts feat: make sidebar resizable (#1965) 2025-12-12 10:46:46 +00:00
pnpm-lock.yaml chore(deps): bump dompurify from 3.4.9 to 3.4.11 in /frontend 2026-06-18 21:25:47 +00:00
tsconfig.app.json feat: use offical vite plugin for sentry (#873) 2026-03-03 12:30:49 +01:00
tsconfig.config.json chore(deps): replace dev-dependencies (#1990) 2025-12-16 08:51:06 +00:00
tsconfig.json fix(ts): align with create-vue setup 2024-06-19 14:05:41 +00:00
tsconfig.vitest.json chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
vite.config.ts fix(frontend/vite): Configure vite dev proxy to handle frontend path 2026-04-20 14:28:23 +00:00

README.md

Web frontend for Vikunja

The todo app to organize your life.

License: AGPL-3.0-or-later Translation

This is the web frontend for Vikunja, written in Vue.js.

Take a look at our roadmap (hosted on Vikunja!) for a list of things we're currently working on!

For general information about the project, refer to the top-level readme of this repo.

Project setup

pnpm install

Development

Define backend server

You can develop the web front end against any accessible backend, including the demo at https://try.vikunja.io

In order to do so, you need to set the DEV_PROXY env variable. The recommended way to do so is to:

  • Copy .env.local.example as .env.local
  • Uncomment the DEV_PROXY line
  • Set the backend url you want to use

In the end, it should look like DEV_PROXY=https://try.vikunja.io if you work against the online demo backend.

Start dev server (compiles and hot-reloads)

pnpm run dev

Compiles and minifies for production

pnpm run build

Lints and fixes files

pnpm run lint

License

This project is licensed under the AGPL-3.0-or-later license. See the LICENSE file for details.