Implements OIDC RP-Initiated Logout (#36724)

At logout time, if the user authenticated via OIDC, we look up the
provider's `end_session_endpoint` (already discovered by Goth from the
OIDC metadata) and redirect there with `client_id` and
`post_logout_redirect_uri`.

Non-OIDC OAuth2 providers (GitHub, GitLab, etc.) are unaffected — they
fall back to local-only logout.

Fix #14270 

---------

Signed-off-by: Nikita Vakula <nikita.vakula@alpsalpine.com>
Co-authored-by: Nikita Vakula <nikita.vakula@alpsalpine.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Nikita Vakula
2026-03-01 07:28:26 +01:00
committed by GitHub
parent f02f419173
commit 649ebeb120
8 changed files with 127 additions and 10 deletions
+14 -1
View File
@@ -425,8 +425,21 @@ func SignOut(ctx *context.Context) {
Data: ctx.Session.ID(),
})
}
// prepare the sign-out URL before destroying the session
redirectTo := buildSignOutRedirectURL(ctx)
HandleSignOut(ctx)
ctx.JSONRedirect(setting.AppSubURL + "/")
ctx.Redirect(redirectTo)
}
func buildSignOutRedirectURL(ctx *context.Context) string {
// TODO: can also support REVERSE_PROXY_AUTHENTICATION logout URL in the future
if ctx.Doer != nil && ctx.Doer.LoginType == auth.OAuth2 {
if s := buildOIDCEndSessionURL(ctx, ctx.Doer); s != "" {
return s
}
}
return setting.AppSubURL + "/"
}
// SignUp render the register page