Fix OIDC logout redirect uri (kubesphere#6348)

* fix: oidc logout redirect uri Signed-off-by: peng wu <[email protected]> * fix: oidc unittest Signed-off-by: peng wu <[email protected]> --------- Signed-off-by: peng wu <[email protected]>
duanmengkk · Feb 5, 2025 · f390d46 · f390d46
1 parent 7ce92c8
commit f390d46
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/pkg/apiserver/authentication/identityprovider/oidc/oidc.go b/pkg/apiserver/authentication/identityprovider/oidc/oidc.go
@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 
@@ -52,6 +53,10 @@ type oidcProvider struct {
 	// Scope specifies optional requested permissions.
 	Scopes []string `json:"scopes" yaml:"scopes"`
 
+	// Redirection to RP After Logout
+	// See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout
+	PostLogoutRedirectURI string `json:"postLogoutRedirectURI" yaml:"postLogoutRedirectURI"`
+
 	// GetUserInfo uses the userinfo endpoint to get additional claims for the token.
 	// This is especially useful where upstreams return "thin" id tokens
 	// See also, https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
@@ -153,6 +158,17 @@ func (f *oidcProviderFactory) Create(opts options.DynamicOptions) (identityprovi
 		oidcProvider.Endpoint.UserInfoURL, _ = providerJSON["userinfo_endpoint"].(string)
 		oidcProvider.Endpoint.JWKSURL, _ = providerJSON["jwks_uri"].(string)
 		oidcProvider.Endpoint.EndSessionURL, _ = providerJSON["end_session_endpoint"].(string)
+
+		endSessionUrl, err := url.Parse(oidcProvider.Endpoint.EndSessionURL)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse end session url: %v", err)
+		}
+		endSessionQuery := endSessionUrl.Query()
+		endSessionQuery.Add("post_logout_redirect_uri", oidcProvider.PostLogoutRedirectURI)
+		endSessionQuery.Add("client_id", oidcProvider.ClientID)
+		endSessionUrl.RawQuery = endSessionQuery.Encode()
+
+		oidcProvider.Endpoint.EndSessionURL = endSessionUrl.String()
 		oidcProvider.Provider = provider
 		oidcProvider.Verifier = provider.Verifier(&oidc.Config{
 			// TODO: support HS256

diff --git a/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go b/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go
@@ -175,7 +175,7 @@ var _ = Describe("OIDC", func() {
 					"tokenURL":      fmt.Sprintf("%s/token", oidcServer.URL),
 					"userInfoURL":   fmt.Sprintf("%s/userinfo", oidcServer.URL),
 					"jwksURL":       fmt.Sprintf("%s/keys", oidcServer.URL),
-					"endSessionURL": fmt.Sprintf("%s/endsession", oidcServer.URL),
+					"endSessionURL": fmt.Sprintf("%s/endsession?client_id=kubesphere&post_logout_redirect_uri=", oidcServer.URL),
 				},
 			}
 			Expect(config).Should(Equal(expected))