the /frontchannel-logout URL does not have proper iframe headers. This is an issue if the OP is not at the same URL as the Portal. E.g. portal at backup.ucs.test OP at auth.extern.test During a frontchannel logout auth.extern.test renders and invisible iframe with backup.ucs.test/univention/oidc/frontchannel-logout. However during this request no UMC session ID cookie is sent to backup.ucs.test due to the 'Content-Security-Policy frame-ancestors 'none';' header being present. This will lead to the session not being ended in the UMC.
*** Bug 57466 has been marked as a duplicate of this bug. ***
Successful build Package: univention-management-console Version: 12.0.35-5 Branch: 5.0-0 Scope: errata5.0-9 univention-management-console.yaml 34285904d626 | fix (umc, Bug #57516): make OIDC front-channel logout work univention-management-console (12.0.35-5) 34285904d626 | fix (umc, Bug #57516): make OIDC front-channel logout work ucs-test (10.0.23-15) 34285904d626 | fix (umc, Bug #57516): make OIDC front-channel logout work The HTTP Content-Security-Policy frame-ancestors directive was added for the UMC's oidc/frontchannel-logout endpoint to allow the OpenID Provider to embed it in the hidden iframe which is used during front-channel logout to navigate back to the RP. The changes to oidc.py are made because there was a flaw in the implementation of the front-channel logout flow. Previously the UMC's oidc/frontchannel-logout endpoint made an unnecessary redirect that is now removed. See Bug #57466 for more information.
Verified: * Code review: Ok * Change for Bug #57466 is included * Automatic ucs-test keycloak 13_logout.py check now also successfully checks frontend logout * Manual test of Debian packages on test env with external-fqdn was ok * Advisory: Ok * Cherry-picked and built in UCS 5.2: Ok Package: univention-management-console Version: 14.0.35 Branch: 5.2-0
<https://errata.software-univention.de/#/?erratum=5.0x1144>