[release-4.1] Fix OIDC logout redirect uri (#6351)

* fix: oidc logout redirect uri

Signed-off-by: peng wu <2030047311@qq.com>

* fix: oidc unittest

Signed-off-by: peng wu <2030047311@qq.com>

---------

Signed-off-by: peng wu <2030047311@qq.com>
Co-authored-by: peng wu <2030047311@qq.com>

pkg/apiserver/authentication/identityprovider/oidc/oidc.go

@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 
 	"github.com/coreos/go-oidc"
 	"github.com/golang-jwt/jwt/v4"
@@ -51,6 +52,10 @@ type oidcProvider struct {
 	// Scope specifies optional requested permissions.
 	Scopes []string `json:"scopes" yaml:"scopes"`
 
+	// Redirection to RP After Logout
+	// See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout
+	PostLogoutRedirectURI string `json:"postLogoutRedirectURI" yaml:"postLogoutRedirectURI"`
+
 	// GetUserInfo uses the userinfo endpoint to get additional claims for the token.
 	// This is especially useful where upstreams return "thin" id tokens
 	// See also, https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
@@ -152,6 +157,17 @@ func (f *oidcProviderFactory) Create(opts options.DynamicOptions) (identityprovi
 		oidcProvider.Endpoint.UserInfoURL, _ = providerJSON["userinfo_endpoint"].(string)
 		oidcProvider.Endpoint.JWKSURL, _ = providerJSON["jwks_uri"].(string)
 		oidcProvider.Endpoint.EndSessionURL, _ = providerJSON["end_session_endpoint"].(string)
+
+		endSessionUrl, err := url.Parse(oidcProvider.Endpoint.EndSessionURL)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse end session url: %v", err)
+		}
+		endSessionQuery := endSessionUrl.Query()
+		endSessionQuery.Add("post_logout_redirect_uri", oidcProvider.PostLogoutRedirectURI)
+		endSessionQuery.Add("client_id", oidcProvider.ClientID)
+		endSessionUrl.RawQuery = endSessionQuery.Encode()
+
+		oidcProvider.Endpoint.EndSessionURL = endSessionUrl.String()
 		oidcProvider.Provider = provider
 		oidcProvider.Verifier = provider.Verifier(&oidc.Config{
 			// TODO: support HS256

pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go

@@ -175,7 +175,7 @@ var _ = Describe("OIDC", func() {
 					"tokenURL":      fmt.Sprintf("%s/token", oidcServer.URL),
 					"userInfoURL":   fmt.Sprintf("%s/userinfo", oidcServer.URL),
 					"jwksURL":       fmt.Sprintf("%s/keys", oidcServer.URL),
-					"endSessionURL": fmt.Sprintf("%s/endsession", oidcServer.URL),
+					"endSessionURL": fmt.Sprintf("%s/endsession?client_id=kubesphere&post_logout_redirect_uri=", oidcServer.URL),
 				},
 			}
 			Expect(config).Should(Equal(expected))