Implements OIDC RP-Initiated Logout (#36724)
At logout time, if the user authenticated via OIDC, we look up the provider's `end_session_endpoint` (already discovered by Goth from the OIDC metadata) and redirect there with `client_id` and `post_logout_redirect_uri`. Non-OIDC OAuth2 providers (GitHub, GitLab, etc.) are unaffected — they fall back to local-only logout. Fix #14270 --------- Signed-off-by: Nikita Vakula <nikita.vakula@alpsalpine.com> Co-authored-by: Nikita Vakula <nikita.vakula@alpsalpine.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
@@ -425,8 +425,21 @@ func SignOut(ctx *context.Context) {
|
||||
Data: ctx.Session.ID(),
|
||||
})
|
||||
}
|
||||
|
||||
// prepare the sign-out URL before destroying the session
|
||||
redirectTo := buildSignOutRedirectURL(ctx)
|
||||
HandleSignOut(ctx)
|
||||
ctx.JSONRedirect(setting.AppSubURL + "/")
|
||||
ctx.Redirect(redirectTo)
|
||||
}
|
||||
|
||||
func buildSignOutRedirectURL(ctx *context.Context) string {
|
||||
// TODO: can also support REVERSE_PROXY_AUTHENTICATION logout URL in the future
|
||||
if ctx.Doer != nil && ctx.Doer.LoginType == auth.OAuth2 {
|
||||
if s := buildOIDCEndSessionURL(ctx, ctx.Doer); s != "" {
|
||||
return s
|
||||
}
|
||||
}
|
||||
return setting.AppSubURL + "/"
|
||||
}
|
||||
|
||||
// SignUp render the register page
|
||||
|
||||
Reference in New Issue
Block a user