steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

http: logout — 303 to end_session_endpoint with id_token_hint for OIDC sessions

Browse Source
This commit is contained in:
Steve Cliff
2026-05-05 13:34:47 +01:00
parent c55a75355a
commit 86598d6357
3 changed files with 96 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/server/http/oidc_handlers_test.go
+62
View File
@@ -200,3 +200,65 @@ func TestOIDCCallbackReturningUserRefreshesRole(t *testing.T) {
t.Errorf("role refresh: got %q want admin", u.Role) t.Errorf("role refresh: got %q want admin", u.Role)
} }
} }
func TestOIDCLogoutRedirectsToEndSession(t *testing.T) {
t.Parallel()
srv, ts, stub := newTestServerWithOIDC(t)
endSessionURL := stub.URL() + "/logout-end"
stub.SetEndSessionEndpoint(endSessionURL)
// Rebuild the OIDC client because end_session_endpoint is read at
// New() time from the discovery doc.
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
cfg := &config.OIDCConfig{
Issuer: stub.URL(), ClientID: "test-client", ClientSecret: "x",
Scopes: []string{"openid"}, RoleClaim: "groups",
RoleMapping: map[string]string{"rm-admins": "admin"},
}
newClient, err := oidc.New(ctx, cfg, "http://test")
if err != nil {
t.Fatalf("rebuild client: %v", err)
}
srv.deps.OIDC = newClient
// Sign in via the OIDC flow.
res := runCallback(t, ts, stub, map[string]any{
"sub": "logout-sub",
"preferred_username": "lo",
"groups": []string{"rm-admins"},
"aud": "test-client",
})
res.Body.Close()
cookies := res.Cookies()
if len(cookies) == 0 {
t.Fatal("expected session cookie after sign-in")
}
sessionCookie := cookies[0]
// POST /logout — should 303 to the end_session endpoint with
// id_token_hint + post_logout_redirect_uri.
c := &stdhttp.Client{CheckRedirect: func(*stdhttp.Request, []*stdhttp.Request) error {
return stdhttp.ErrUseLastResponse
}}
req, _ := stdhttp.NewRequest("POST", ts.URL+"/logout", nil)
req.AddCookie(sessionCookie)
res, err = c.Do(req)
if err != nil {
t.Fatalf("logout: %v", err)
}
defer res.Body.Close()
if res.StatusCode != stdhttp.StatusSeeOther {
t.Errorf("status: got %d want 303", res.StatusCode)
}
loc := res.Header.Get("Location")
if !strings.Contains(loc, "/logout-end") {
t.Errorf("location not at end_session: %q", loc)
}
if !strings.Contains(loc, "id_token_hint=") {
t.Errorf("location missing id_token_hint: %q", loc)
}
if !strings.Contains(loc, "post_logout_redirect_uri=") {
t.Errorf("location missing post_logout_redirect_uri: %q", loc)
}
}
internal/server/http/server.go
+3 -1
View File
@@ -137,10 +137,12 @@ func (s *Server) routes(r chi.Router) {
r.Get("/ws/agent/pending", s.handlePendingWS) r.Get("/ws/agent/pending", s.handlePendingWS)
r.Mount("/static/", staticHandler()) r.Mount("/static/", staticHandler())
// POST /logout is always mounted — it handles both local and OIDC
// sessions and doesn't require the UI renderer.
r.Post("/logout", s.handleUILogoutPost)
if s.deps.UI != nil { if s.deps.UI != nil {
r.Get("/login", s.handleUILoginGet) r.Get("/login", s.handleUILoginGet)
r.Post("/login", s.handleUILoginPost) r.Post("/login", s.handleUILoginPost)
r.Post("/logout", s.handleUILogoutPost)
r.Get("/setup", s.handleUISetupGet) r.Get("/setup", s.handleUISetupGet)
r.Post("/setup", s.handleUISetupPost) r.Post("/setup", s.handleUISetupPost)
} }
internal/server/http/ui_handlers.go
+31 -5
View File
@@ -8,6 +8,7 @@ import (
"io/fs" "io/fs"
"log/slog" "log/slog"
stdhttp "net/http" stdhttp "net/http"
"net/url"
"strings" "strings"
"time" "time"
@@ -956,12 +957,37 @@ func (s *Server) handleUILoginPost(w stdhttp.ResponseWriter, r *stdhttp.Request)
stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther) stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
} }
// handleUILogoutPost is the form-submit twin of /api/auth/logout. It // handleUILogoutPost is the form-submit twin of /api/auth/logout. For
// drops the session cookie and redirects to /login. // local sessions it drops the cookie and redirects to /login. For OIDC
// sessions, if the IdP advertised an end_session_endpoint it performs
// RP-initiated logout by redirecting there with id_token_hint and
// post_logout_redirect_uri.
func (s *Server) handleUILogoutPost(w stdhttp.ResponseWriter, r *stdhttp.Request) { func (s *Server) handleUILogoutPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
if c, err := r.Cookie(sessionCookieName); err == nil { c, err := r.Cookie(sessionCookieName)
_ = s.deps.Store.DeleteSession(r.Context(), auth.HashToken(c.Value)) if err != nil {
stdhttp.Redirect(w, r, "/login", stdhttp.StatusSeeOther)
return
} }
hash := auth.HashToken(c.Value)
sess, _ := s.deps.Store.LookupSession(r.Context(), hash)
_ = s.deps.Store.DeleteSession(r.Context(), hash)
// Default: drop session, go to /login.
dest := "/login"
// OIDC session with a discovered end_session_endpoint? Compose
// the IdP logout URL with id_token_hint + post_logout_redirect_uri.
if sess != nil && sess.IDToken != "" && s.deps.OIDC != nil &&
s.deps.OIDC.EndSessionEndpoint() != "" {
v := url.Values{}
v.Set("id_token_hint", sess.IDToken)
if base := strings.TrimRight(s.deps.Cfg.BaseURL, "/"); base != "" {
v.Set("post_logout_redirect_uri", base+"/login")
}
dest = s.deps.OIDC.EndSessionEndpoint() + "?" + v.Encode()
}
// Clear the cookie.
stdhttp.SetCookie(w, &stdhttp.Cookie{ stdhttp.SetCookie(w, &stdhttp.Cookie{
Name: sessionCookieName, Name: sessionCookieName,
Value: "", Value: "",
@@ -971,5 +997,5 @@ func (s *Server) handleUILogoutPost(w stdhttp.ResponseWriter, r *stdhttp.Request
Secure: s.deps.Cfg.CookieSecure, Secure: s.deps.Cfg.CookieSecure,
SameSite: stdhttp.SameSiteLaxMode, SameSite: stdhttp.SameSiteLaxMode,
}) })
stdhttp.Redirect(w, r, "/login", stdhttp.StatusSeeOther) stdhttp.Redirect(w, r, dest, stdhttp.StatusSeeOther)
} }