OIDC - support IdP logout (#670)

* OIDC - support IdP logout Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Add support of logout_idp_session parameter Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Fix merge conflict issue Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Restore original package-lock.json Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Cleanup --------- Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>
2026-04-16 20:46:27 +00:00 · 2026-04-12 04:18:04 -07:00
parent 9b437205b1
commit 71806455dd
10 changed files with 120 additions and 21 deletions
--- a/internal/app/auth/auth.go
+++ b/internal/app/auth/auth.go
@@ -68,6 +68,8 @@ type AuthenticatorOauth interface {
 	// GetAllowedUserGroups returns the list of whitelisted user groups.
 	// If non-empty, at least one user group must match.
 	GetAllowedUserGroups() []string
+	// GetLogoutUrl returns an IdP logout URL if supported by the provider.
+	GetLogoutUrl(idTokenHint, postLogoutRedirectUri string) (string, bool)
 }

 // AuthenticatorLdap is the interface for all LDAP authenticators.
@@ -529,33 +531,34 @@ func isAnyAllowedUserGroup(userGroups, allowedUserGroups []string) bool {

 // OauthLoginStep2 finishes the oauth authentication flow by exchanging the code for an access token and
 // fetching the user information.
-func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, error) {
+func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, string, error) {
 	oauthProvider, ok := a.oauthAuthenticators[providerId]
 	if !ok {
-		return nil, fmt.Errorf("missing oauth provider %s", providerId)
+		return nil, "", fmt.Errorf("missing oauth provider %s", providerId)
 	}

 	oauth2Token, err := oauthProvider.Exchange(ctx, code)
 	if err != nil {
-		return nil, fmt.Errorf("unable to exchange code: %w", err)
+		return nil, "", fmt.Errorf("unable to exchange code: %w", err)
 	}
+	idTokenHint, _ := oauth2Token.Extra("id_token").(string)

 	rawUserInfo, err := oauthProvider.GetUserInfo(ctx, oauth2Token, nonce)
 	if err != nil {
-		return nil, fmt.Errorf("unable to fetch user information: %w", err)
+		return nil, "", fmt.Errorf("unable to fetch user information: %w", err)
 	}

 	userInfo, err := oauthProvider.ParseUserInfo(rawUserInfo)
 	if err != nil {
-		return nil, fmt.Errorf("unable to parse user information: %w", err)
+		return nil, "", fmt.Errorf("unable to parse user information: %w", err)
 	}

 	if !isDomainAllowed(userInfo.Email, oauthProvider.GetAllowedDomains()) {
-		return nil, fmt.Errorf("user %s is not in allowed domains", userInfo.Email)
+		return nil, "", fmt.Errorf("user %s is not in allowed domains", userInfo.Email)
 	}

 	if !isAnyAllowedUserGroup(userInfo.UserGroups, oauthProvider.GetAllowedUserGroups()) {
-		return nil, fmt.Errorf("user %s is not in allowed user groups", userInfo.Identifier)
+		return nil, "", fmt.Errorf("user %s is not in allowed user groups", userInfo.Identifier)
 	}

 	ctx = domain.SetUserInfo(ctx,
@@ -571,7 +574,7 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 				Error:    err.Error(),
 			},
 		})
-		return nil, fmt.Errorf("unable to process user information: %w", err)
+		return nil, "", fmt.Errorf("unable to process user information: %w", err)
 	}

 	if user.IsLocked() || user.IsDisabled() {
@@ -583,7 +586,7 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 				Error:    "user is locked",
 			},
 		})
-		return nil, errors.New("user is locked")
+		return nil, "", errors.New("user is locked")
 	}

 	a.bus.Publish(app.TopicAuthLogin, user.Identifier)
@@ -595,7 +598,16 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 		},
 	})

-	return user, nil
+	return user, idTokenHint, nil
+}
+
+func (a *Authenticator) OauthProviderLogoutUrl(providerId, idTokenHint, postLogoutRedirectUri string) (string, bool) {
+	oauthProvider, ok := a.oauthAuthenticators[providerId]
+	if !ok {
+		return "", false
+	}
+
+	return oauthProvider.GetLogoutUrl(idTokenHint, postLogoutRedirectUri)
 }

 func (a *Authenticator) processUserInfo(
--- a/internal/app/auth/auth_oauth.go
+++ b/internal/app/auth/auth_oauth.go
@@ -79,6 +79,10 @@ func (p PlainOauthAuthenticator) GetAllowedUserGroups() []string {
 	return p.allowedUserGroups
 }

+func (p PlainOauthAuthenticator) GetLogoutUrl(_, _ string) (string, bool) {
+	return "", false
+}
+
 // RegistrationEnabled returns whether registration is enabled for the OAuth authenticator.
 func (p PlainOauthAuthenticator) RegistrationEnabled() bool {
 	return p.registrationEnabled
--- a/internal/app/auth/auth_oidc.go
+++ b/internal/app/auth/auth_oidc.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net/url"

 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
@@ -27,6 +28,8 @@ type OidcAuthenticator struct {
 	sensitiveInfoLogging bool
 	allowedDomains       []string
 	allowedUserGroups    []string
+	endSessionEndpoint   string
+	logoutIdpSession     bool
 }

 func newOidcAuthenticator(
@@ -63,6 +66,16 @@ func newOidcAuthenticator(
 	provider.sensitiveInfoLogging = cfg.LogSensitiveInfo
 	provider.allowedDomains = cfg.AllowedDomains
 	provider.allowedUserGroups = cfg.AllowedUserGroups
+	provider.logoutIdpSession = cfg.LogoutIdpSession == nil || *cfg.LogoutIdpSession
+
+	var providerMetadata struct {
+		EndSessionEndpoint string `json:"end_session_endpoint"`
+	}
+	if err = provider.provider.Claims(&providerMetadata); err != nil {
+		slog.Debug("OIDC: failed to parse provider metadata", "provider", cfg.ProviderName, "error", err)
+	} else {
+		provider.endSessionEndpoint = providerMetadata.EndSessionEndpoint
+	}

 	return provider, nil
 }
@@ -80,6 +93,34 @@ func (o OidcAuthenticator) GetAllowedUserGroups() []string {
 	return o.allowedUserGroups
 }

+func (o OidcAuthenticator) GetLogoutUrl(idTokenHint, postLogoutRedirectUri string) (string, bool) {
+	if !o.logoutIdpSession {
+		return "", false
+	}
+	if o.endSessionEndpoint == "" {
+		slog.Debug("OIDC logout URL generation disabled: provider has no end_session_endpoint", "provider", o.name)
+		return "", false
+	}
+
+	logoutUrl, err := url.Parse(o.endSessionEndpoint)
+	if err != nil {
+		slog.Debug("OIDC logout URL generation failed, unable to parse end_session_endpoint url",
+			"provider", o.name, "error", err)
+		return "", false
+	}
+
+	params := logoutUrl.Query()
+	if idTokenHint != "" {
+		params.Set("id_token_hint", idTokenHint)
+	}
+	if postLogoutRedirectUri != "" {
+		params.Set("post_logout_redirect_uri", postLogoutRedirectUri)
+	}
+	logoutUrl.RawQuery = params.Encode()
+
+	return logoutUrl.String(), true
+}
+
 // RegistrationEnabled returns whether registration is enabled for this authenticator.
 func (o OidcAuthenticator) RegistrationEnabled() bool {
 	return o.registrationEnabled