Merge pull request #3776 from wansir/feat-logout
Support RP-Initiated Logout
This commit is contained in:
KubeSphere CI Bot
@@ -19,6 +19,9 @@ package oauth
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"kubesphere.io/kubesphere/pkg/server/errors"
|
||||
|
||||
"github.com/emicklei/go-restful"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
@@ -320,3 +323,33 @@ func (h *handler) refreshTokenGrant(req *restful.Request, response *restful.Resp
|
||||
|
||||
response.WriteEntity(result)
|
||||
}
|
||||
|
||||
func (h *handler) Logout(req *restful.Request, resp *restful.Response) {
|
||||
authenticated, ok := request.UserFrom(req.Request.Context())
|
||||
if ok {
|
||||
if err := h.tokenOperator.RevokeAllUserTokens(authenticated.GetName()); err != nil {
|
||||
api.HandleInternalError(resp, req, apierrors.NewInternalError(err))
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
postLogoutRedirectURI := req.QueryParameter("post_logout_redirect_uri")
|
||||
if postLogoutRedirectURI == "" {
|
||||
resp.WriteAsJson(errors.None)
|
||||
return
|
||||
}
|
||||
|
||||
redirectURL, err := url.Parse(postLogoutRedirectURI)
|
||||
if err != nil {
|
||||
api.HandleBadRequest(resp, req, fmt.Errorf("invalid logout redirect URI: %s", err))
|
||||
return
|
||||
}
|
||||
|
||||
state := req.QueryParameter("state")
|
||||
if state != "" {
|
||||
redirectURL.Query().Add("state", state)
|
||||
}
|
||||
|
||||
resp.Header().Set("Content-Type", "text/plain")
|
||||
http.Redirect(resp, req.Request, redirectURL.String(), http.StatusFound)
|
||||
}
|
||||
|
||||
@@ -110,6 +110,23 @@ func AddToContainer(c *restful.Container, im im.IdentityManagementInterface,
|
||||
Returns(http.StatusOK, api.StatusOK, oauth.Token{}).
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.AuthenticationTag}))
|
||||
|
||||
// https://openid.net/specs/openid-connect-rpinitiated-1_0.html
|
||||
ws.Route(ws.GET("/logout").
|
||||
Doc("This endpoint takes an ID token and logs the user out of KubeSphere if the "+
|
||||
"subject matches the current session.").
|
||||
Param(ws.QueryParameter("id_token_hint", "ID Token previously issued by the OP "+
|
||||
"to the RP passed to the Logout Endpoint as a hint about the End-User's current authenticated "+
|
||||
"session with the Client. This is used as an indication of the identity of the End-User that "+
|
||||
"the RP is requesting be logged out by the OP.").Required(false)).
|
||||
Param(ws.QueryParameter("post_logout_redirect_uri", "URL to which the RP is requesting "+
|
||||
"that the End-User's User Agent be redirected after a logout has been performed. ").Required(false)).
|
||||
Param(ws.QueryParameter("state", "Opaque value used by the RP to maintain state between "+
|
||||
"the logout request and the callback to the endpoint specified by the post_logout_redirect_uri parameter.").
|
||||
Required(false)).
|
||||
To(handler.Logout).
|
||||
Returns(http.StatusOK, http.StatusText(http.StatusOK), "").
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.AuthenticationTag}))
|
||||
|
||||
c.Add(ws)
|
||||
|
||||
// legacy auth API
|
||||
|
||||
Reference in New Issue
Block a user