From 739701fa91367fe138153d504e0e89ae0873a217 Mon Sep 17 00:00:00 2001 From: KubeSphere CI Bot <47586280+ks-ci-bot@users.noreply.github.com> Date: Sat, 8 Feb 2025 10:11:13 +0800 Subject: [PATCH] [release-4.1] Fix OIDC logout redirect uri (#6351) * fix: oidc logout redirect uri Signed-off-by: peng wu <2030047311@qq.com> * fix: oidc unittest Signed-off-by: peng wu <2030047311@qq.com> --------- Signed-off-by: peng wu <2030047311@qq.com> Co-authored-by: peng wu <2030047311@qq.com> --- .../authentication/identityprovider/oidc/oidc.go | 16 ++++++++++++++++ .../identityprovider/oidc/oidc_test.go | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/apiserver/authentication/identityprovider/oidc/oidc.go b/pkg/apiserver/authentication/identityprovider/oidc/oidc.go index 0cb8c7022..6767addc5 100644 --- a/pkg/apiserver/authentication/identityprovider/oidc/oidc.go +++ b/pkg/apiserver/authentication/identityprovider/oidc/oidc.go @@ -13,6 +13,7 @@ import ( "fmt" "io" "net/http" + "net/url" "github.com/coreos/go-oidc" "github.com/golang-jwt/jwt/v4" @@ -51,6 +52,10 @@ type oidcProvider struct { // Scope specifies optional requested permissions. Scopes []string `json:"scopes" yaml:"scopes"` + // Redirection to RP After Logout + // See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout + PostLogoutRedirectURI string `json:"postLogoutRedirectURI" yaml:"postLogoutRedirectURI"` + // GetUserInfo uses the userinfo endpoint to get additional claims for the token. // This is especially useful where upstreams return "thin" id tokens // See also, https://openid.net/specs/openid-connect-core-1_0.html#UserInfo @@ -152,6 +157,17 @@ func (f *oidcProviderFactory) Create(opts options.DynamicOptions) (identityprovi oidcProvider.Endpoint.UserInfoURL, _ = providerJSON["userinfo_endpoint"].(string) oidcProvider.Endpoint.JWKSURL, _ = providerJSON["jwks_uri"].(string) oidcProvider.Endpoint.EndSessionURL, _ = providerJSON["end_session_endpoint"].(string) + + endSessionUrl, err := url.Parse(oidcProvider.Endpoint.EndSessionURL) + if err != nil { + return nil, fmt.Errorf("failed to parse end session url: %v", err) + } + endSessionQuery := endSessionUrl.Query() + endSessionQuery.Add("post_logout_redirect_uri", oidcProvider.PostLogoutRedirectURI) + endSessionQuery.Add("client_id", oidcProvider.ClientID) + endSessionUrl.RawQuery = endSessionQuery.Encode() + + oidcProvider.Endpoint.EndSessionURL = endSessionUrl.String() oidcProvider.Provider = provider oidcProvider.Verifier = provider.Verifier(&oidc.Config{ // TODO: support HS256 diff --git a/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go b/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go index fd38d1fc8..ab9d8666c 100644 --- a/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go +++ b/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go @@ -175,7 +175,7 @@ var _ = Describe("OIDC", func() { "tokenURL": fmt.Sprintf("%s/token", oidcServer.URL), "userInfoURL": fmt.Sprintf("%s/userinfo", oidcServer.URL), "jwksURL": fmt.Sprintf("%s/keys", oidcServer.URL), - "endSessionURL": fmt.Sprintf("%s/endsession", oidcServer.URL), + "endSessionURL": fmt.Sprintf("%s/endsession?client_id=kubesphere&post_logout_redirect_uri=", oidcServer.URL), }, } Expect(config).Should(Equal(expected))