steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

http: logout — 303 to end_session_endpoint with id_token_hint for OIDC sessions

Browse Source
This commit is contained in:
Steve Cliff
2026-05-05 13:34:47 +01:00
parent 1fd9dce8a2
commit d2ffc98f3c
3 changed files with 96 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/server/http/ui_handlers.go
+31 -5
View File
@@ -8,6 +8,7 @@ import (
"io/fs"
"log/slog"
stdhttp "net/http"
"net/url"
"strings"
"time"
@@ -956,12 +957,37 @@ func (s *Server) handleUILoginPost(w stdhttp.ResponseWriter, r *stdhttp.Request)
stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
}
// handleUILogoutPost is the form-submit twin of /api/auth/logout. It
// drops the session cookie and redirects to /login.
// handleUILogoutPost is the form-submit twin of /api/auth/logout. For
// local sessions it drops the cookie and redirects to /login. For OIDC
// sessions, if the IdP advertised an end_session_endpoint it performs
// RP-initiated logout by redirecting there with id_token_hint and
// post_logout_redirect_uri.
func (s *Server) handleUILogoutPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
if c, err := r.Cookie(sessionCookieName); err == nil {
_ = s.deps.Store.DeleteSession(r.Context(), auth.HashToken(c.Value))
c, err := r.Cookie(sessionCookieName)
if err != nil {
stdhttp.Redirect(w, r, "/login", stdhttp.StatusSeeOther)
return
}
hash := auth.HashToken(c.Value)
sess, _ := s.deps.Store.LookupSession(r.Context(), hash)
_ = s.deps.Store.DeleteSession(r.Context(), hash)
// Default: drop session, go to /login.
dest := "/login"
// OIDC session with a discovered end_session_endpoint? Compose
// the IdP logout URL with id_token_hint + post_logout_redirect_uri.
if sess != nil && sess.IDToken != "" && s.deps.OIDC != nil &&
s.deps.OIDC.EndSessionEndpoint() != "" {
v := url.Values{}
v.Set("id_token_hint", sess.IDToken)
if base := strings.TrimRight(s.deps.Cfg.BaseURL, "/"); base != "" {
v.Set("post_logout_redirect_uri", base+"/login")
}
dest = s.deps.OIDC.EndSessionEndpoint() + "?" + v.Encode()
}
// Clear the cookie.
stdhttp.SetCookie(w, &stdhttp.Cookie{
Name: sessionCookieName,
Value: "",
@@ -971,5 +997,5 @@ func (s *Server) handleUILogoutPost(w stdhttp.ResponseWriter, r *stdhttp.Request
Secure: s.deps.Cfg.CookieSecure,
SameSite: stdhttp.SameSiteLaxMode,
})
stdhttp.Redirect(w, r, "/login", stdhttp.StatusSeeOther)
stdhttp.Redirect(w, r, dest, stdhttp.StatusSeeOther)
}