OIDC - support IdP logout (#670)

* OIDC - support IdP logout Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Add support of logout_idp_session parameter Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Fix merge conflict issue Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Restore original package-lock.json Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> * Cleanup --------- Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com> Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>
2026-04-16 12:36:23 +00:00 · 2026-04-12 04:18:04 -07:00
parent 9b437205b1
commit 71806455dd
10 changed files with 120 additions and 21 deletions
--- a/internal/app/auth/auth_oidc.go
+++ b/internal/app/auth/auth_oidc.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net/url"

 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
@@ -27,6 +28,8 @@ type OidcAuthenticator struct {
 	sensitiveInfoLogging bool
 	allowedDomains       []string
 	allowedUserGroups    []string
+	endSessionEndpoint   string
+	logoutIdpSession     bool
 }

 func newOidcAuthenticator(
@@ -63,6 +66,16 @@ func newOidcAuthenticator(
 	provider.sensitiveInfoLogging = cfg.LogSensitiveInfo
 	provider.allowedDomains = cfg.AllowedDomains
 	provider.allowedUserGroups = cfg.AllowedUserGroups
+	provider.logoutIdpSession = cfg.LogoutIdpSession == nil || *cfg.LogoutIdpSession
+
+	var providerMetadata struct {
+		EndSessionEndpoint string `json:"end_session_endpoint"`
+	}
+	if err = provider.provider.Claims(&providerMetadata); err != nil {
+		slog.Debug("OIDC: failed to parse provider metadata", "provider", cfg.ProviderName, "error", err)
+	} else {
+		provider.endSessionEndpoint = providerMetadata.EndSessionEndpoint
+	}

 	return provider, nil
 }
@@ -80,6 +93,34 @@ func (o OidcAuthenticator) GetAllowedUserGroups() []string {
 	return o.allowedUserGroups
 }

+func (o OidcAuthenticator) GetLogoutUrl(idTokenHint, postLogoutRedirectUri string) (string, bool) {
+	if !o.logoutIdpSession {
+		return "", false
+	}
+	if o.endSessionEndpoint == "" {
+		slog.Debug("OIDC logout URL generation disabled: provider has no end_session_endpoint", "provider", o.name)
+		return "", false
+	}
+
+	logoutUrl, err := url.Parse(o.endSessionEndpoint)
+	if err != nil {
+		slog.Debug("OIDC logout URL generation failed, unable to parse end_session_endpoint url",
+			"provider", o.name, "error", err)
+		return "", false
+	}
+
+	params := logoutUrl.Query()
+	if idTokenHint != "" {
+		params.Set("id_token_hint", idTokenHint)
+	}
+	if postLogoutRedirectUri != "" {
+		params.Set("post_logout_redirect_uri", postLogoutRedirectUri)
+	}
+	logoutUrl.RawQuery = params.Encode()
+
+	return logoutUrl.String(), true
+}
+
 // RegistrationEnabled returns whether registration is enabled for this authenticator.
 func (o OidcAuthenticator) RegistrationEnabled() bool {
 	return o.registrationEnabled