On OIDC logout Vikunja redirected to the configured `logouturl` with no query parameters, so it never sent `id_token_hint` or `post_logout_redirect_uri`. RP-Initiated-Logout-compliant providers (e.g. PocketID) then ignored the post-logout redirect and left the user on the IdP's own login page. This builds the end-session URL server-side from the OpenID Connect RP-Initiated Logout 1.0 spec: - id_token_hint (§2, RECOMMENDED): the ID token previously issued to the session. It lets the OP skip the logout-confirmation prompt and is what makes the OP honor post_logout_redirect_uri (the OP MAY require it, §3). - post_logout_redirect_uri (§2, OPTIONAL): where the OP redirects after logout. MUST be pre-registered with the OP. Defaults to service.publicurl so the user lands back on Vikunja. - client_id (§2, OPTIONAL): the RP client id; the OP verifies it matches the id_token_hint. The end_session_endpoint is discovered from the provider's discovery document (§2.1, REQUIRED metadata) and falls back to the static `logouturl` config when the provider does not publish one. To replay id_token_hint, the raw ID token (and the provider key) are persisted on the session at the OIDC callback (new migration adds oidc_id_token / oidc_provider_key columns to the sessions table). At logout the server reads them, builds the URL, deletes the session, and returns the URL in the logout response so the frontend redirects to it. Security note: the raw ID token is stored at rest in the sessions table (json:"-", never exposed over the API) and removed when the session is deleted on logout. Spec: OpenID Connect RP-Initiated Logout 1.0 https://openid.net/specs/openid-connect-rpinitiated-1_0.html Fixes #2820 |
||
|---|---|---|
| .. | ||
| docs | ||
| originalMedia | ||
| public | ||
| scripts | ||
| src | ||
| tests | ||
| .editorconfig | ||
| .env.local.example | ||
| .gitignore | ||
| .npmrc | ||
| .nvmrc | ||
| .stylelintrc.json | ||
| CHANGELOG.md | ||
| LICENSE | ||
| README.md | ||
| cliff.toml | ||
| embed.go | ||
| env.config.d.ts | ||
| env.d.ts | ||
| eslint.config.js | ||
| histoire.config.ts | ||
| index.html | ||
| netlify.toml | ||
| package.json | ||
| playwright.config.ts | ||
| pnpm-lock.yaml | ||
| tsconfig.app.json | ||
| tsconfig.config.json | ||
| tsconfig.json | ||
| tsconfig.vitest.json | ||
| vite.config.ts | ||
README.md
Web frontend for Vikunja
The todo app to organize your life.
This is the web frontend for Vikunja, written in Vue.js.
Take a look at our roadmap (hosted on Vikunja!) for a list of things we're currently working on!
For general information about the project, refer to the top-level readme of this repo.
Project setup
pnpm install
Development
Define backend server
You can develop the web front end against any accessible backend, including the demo at https://try.vikunja.io
In order to do so, you need to set the DEV_PROXY env variable. The recommended way to do so is to:
- Copy
.env.local.exampleas.env.local - Uncomment the
DEV_PROXYline - Set the backend url you want to use
In the end, it should look like DEV_PROXY=https://try.vikunja.io if you work against the online demo backend.
Start dev server (compiles and hot-reloads)
pnpm run dev
Compiles and minifies for production
pnpm run build
Lints and fixes files
pnpm run lint
License
This project is licensed under the AGPL-3.0-or-later license. See the LICENSE file for details.