Sys-front-inj-logout Role

Description: No description available

Variables

• author: Kevin Veen‑Birkenbach

• role_name: sys-front-inj-logout

• description: Injects a JavaScript snippet via Nginx sub_filter that intercepts all logout actions (links, buttons, forms) and redirects users to a centralized OIDC logout endpoint.

• license: Infinito.Nexus NonCommercial License

• license_url: https://s.infinito.nexus/license

• min_ansible_version: 2.9

• platforms: [{‘name’: ‘Any’, ‘versions’: [‘all’]}]

• galaxy_tags: [‘nginx’, ‘logout’, ‘oidc’, ‘javascript’, ‘csp’, ‘sub_filter’]

• company: Kevin Veen‑Birkenbach Consulting & Coaching Solutions https://www.veen.world

• repository: https://s.infinito.nexus/code

• issue_tracker_url: https://s.infinito.nexus/issues

• documentation: https://s.infinito.nexus/code/tree/main/roles/sys-front-inj-logout

README

sys-front-inj-logout

This role injects a catcher that intercepts all logout elements in HTML pages served by Nginx and redirects them to a centralized logout endpoint via JavaScript.

Description

The sys-front-inj-logout Ansible role automatically embeds a lightweight JavaScript snippet into your web application’s HTML responses. This script identifies logout links, buttons, forms, and other elements, overrides their target URLs, and ensures users are redirected to a central OIDC logout endpoint, providing a consistent single sign‑out experience.

Overview

• Detection: Scans the DOM for anchors (<a>), buttons, inputs, forms, use elements and any attributes indicating logout functionality.

• Override: Rewrites logout URLs to point at your OIDC provider’s logout endpoint, including a redirect back to the application.

• Dynamic content support: Uses a MutationObserver to handle AJAX‑loaded or dynamically injected logout elements.

• CSP integration: Automatically appends the required script hash into your CSP policy via the role’s CSP helper.

Features

• Seamless injection via Nginx sub_filter on </head>.

• Automatic detection of various logout mechanisms (links, buttons, forms).

• Centralized logout redirection for a unified user experience.

• No changes required in application code.

• Compatible with SPAs and dynamically generated content.

• CSP‑friendly: manages script hash for you.

Further Resources

• OpenID Connect RP-Initiated Logout

• Nginx ``sub_filter` Module <http://nginx.org/en/docs/http/ngx_http_sub_module.html>`__

• Ansible Role Directory Structure