docs: add documentation about the logout endpoint (#2860)

fix #2859
This commit is contained in:
Clément Michaud 2022-02-09 23:10:35 +01:00 committed by GitHub
parent 5d4003c291
commit 100d598a0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 0 deletions

51
docs/features/logout.md Normal file
View File

@ -0,0 +1,51 @@
---
layout: default
title: Logout
parent: Features
nav_order: 8
---
# Logout
Authelia is able to log out your users to ensure their account is not exposed anymore when they stop
surfing the web.
When user is logged out, the cookie attached to this user is reset on the backend side. Therefore, any
subsequent request using this old cookie is considered unauthenticated by Authelia. In this case the user
is simply redirected to the login page and has to authenticate again to generate a new session with a new cookie.
## Methods to log out
## Frontend
In most websites and applications, users can usually click on a logout button to be signed out and Authelia
offers the same feature.
Implementing logout is as easy as putting a link or button somewhere on your application or website with
the following href: `https://auth.example.com/logout` where `auth.example.com` is the domain serving Authelia.
By default, this would redirect the user to the login page of Authelia but one can force the redirection to any
domain protected by Authelia by appending the 'rd' query parameter which should be set to the target URL where
the user should be redirected. For instance, `https://auth.example.com/logout?rd=https://homepage.example.com`.
Please note that an attempt of redirection to a domain which is not a subdomain protected by Authelia will be
skipped for security reasons described later in this page.
## Backend
The backend API can also be called directly from your applications if needed. The endpoint is /api/logout which
is taking a POST request with a body like:
{
"targetURL": "https://homepage.example.com"
}
Please note that an attempt of redirection to a domain which is not a subdomain protected by Authelia will be
skipped for security reasons described later in this page.
## Why preventing redirection to some domains?
This is a security feature which is protecting your users against attacks called open redirect. This kind of attack
is described [here](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
by the [OWASP](https://en.wikipedia.org/wiki/OWASP#:~:text=The%20Open%20Web%20Application%20Security,field%20of%20web%20application%20security.&text=It%20is%20led%20by%20a%20non%2Dprofit%20called%20The%20OWASP%20Foundation.).
In a nutshell, hackers can send phishing emails to your users and trick them by making them click on a legit link
eventually redirecting to an infected website.

View File

@ -183,6 +183,12 @@ connection is over TLS. As SMTPS is deprecated, the only way to configure this i
to automatically consider it to be a SMTPS connection. As such your SMTP server, if not offering SMTPS, should not be
listening on port 465 which is bad practice anyway.
## Protection against open redirects
Authelia protects your users against open redirect attacks by always checking if redirection URLs are pointing
to a subdomain of the domain protected by Authelia. This prevents phishing campaigns tricking users into visiting
infected websites leveraging legit links.
## Additional security
### Reset Password