Login & Registration - Single SignOff Feature to Fix Unexpected Behavior

[Foxtrek_64]

Hello,

I wanted to suggest this so it's officially on your radar. Currently, we support Single SignOn by allowing for alternative (and perhaps multiple) logon providers to be specified. This allows us to log in via a Microsoft or other account. However, Single SignOff is not supported at this time. This leads to unexpected behavior where a user will attempt to sign off, perhaps to sign on to an alt (a common step for my staff who have separate, elevated admin accounts). Clicking the sign off button initiates a logout from the forum account, but when the site reloads it will automatically sign the user back in.

As a temporary work-around, I have suggested my administrators use Private/Incognito mode in their browser when logging in with their elevated account as closing the browser forces sign out by deleting login cookies. That said, myself and my users would expect that the logoff button actually signs them out and leaves them signed out.

Most OAuth providers have a sign off link that will sign the user out and redirect them to a configured site after signing out. For example, this link could look like `https://auth.example.com/signout?redirect=https://forum.example.com`. Others have this redirect link configured on their end. To cover most OAuth providers, a field should be provided that accepts a logout redirect, possibly with a replacement available for the canonical homepage of the forum. The log off button the forum would then simply perform all of its normal checks, then instead of redirecting to the homepage of the forum it would redirect to the provided URL. This will not cover all cases, but I imagine it would be a simple enough addition to cover situations where the OAuth provider offers the feature. If desired, a disclaimer could be placed on the field describing situations where the feature will and will not work.

Later implementations may see other scenarios, such as making a POST request to a sign off endpoint but without actually redirecting the user to that page, but I would consider this to be outside of the scope of this suggestion.

[Foxtrek_64]

As an unintended but possibly useful side effect of this feature change, it would be possible to specify any link after sign out. This could be used for redirecting users to a particular forum thread or even a different website (e.g., when users sign out of forum.example.com they are redirected to www.example.com). While there is somewhat of a concern of this being used to redirect users to a malicious site, this would require a compromised administrator or administrator account, which would fall under Microsoft's ten laws of security.