From f390d46da25e6279255d151c3011bee356218279 Mon Sep 17 00:00:00 2001 From: smartcat999 <49057502+smartcat999@users.noreply.github.com> Date: Wed, 5 Feb 2025 11:11:09 +0800 Subject: [PATCH] Fix OIDC logout redirect uri (#6348) * fix: oidc logout redirect uri Signed-off-by: peng wu <2030047311@qq.com> * fix: oidc unittest Signed-off-by: peng wu <2030047311@qq.com> --------- Signed-off-by: peng wu <2030047311@qq.com> --- .../authentication/identityprovider/oidc/oidc.go | 16 ++++++++++++++++ .../identityprovider/oidc/oidc_test.go | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/apiserver/authentication/identityprovider/oidc/oidc.go b/pkg/apiserver/authentication/identityprovider/oidc/oidc.go index 8c10f9315..a77fd906d 100644 --- a/pkg/apiserver/authentication/identityprovider/oidc/oidc.go +++ b/pkg/apiserver/authentication/identityprovider/oidc/oidc.go @@ -13,6 +13,7 @@ import ( "fmt" "io" "net/http" + "net/url" "github.com/coreos/go-oidc/v3/oidc" @@ -52,6 +53,10 @@ type oidcProvider struct { // Scope specifies optional requested permissions. Scopes []string `json:"scopes" yaml:"scopes"` + // Redirection to RP After Logout + // See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout + PostLogoutRedirectURI string `json:"postLogoutRedirectURI" yaml:"postLogoutRedirectURI"` + // GetUserInfo uses the userinfo endpoint to get additional claims for the token. // This is especially useful where upstreams return "thin" id tokens // See also, https://openid.net/specs/openid-connect-core-1_0.html#UserInfo @@ -153,6 +158,17 @@ func (f *oidcProviderFactory) Create(opts options.DynamicOptions) (identityprovi oidcProvider.Endpoint.UserInfoURL, _ = providerJSON["userinfo_endpoint"].(string) oidcProvider.Endpoint.JWKSURL, _ = providerJSON["jwks_uri"].(string) oidcProvider.Endpoint.EndSessionURL, _ = providerJSON["end_session_endpoint"].(string) + + endSessionUrl, err := url.Parse(oidcProvider.Endpoint.EndSessionURL) + if err != nil { + return nil, fmt.Errorf("failed to parse end session url: %v", err) + } + endSessionQuery := endSessionUrl.Query() + endSessionQuery.Add("post_logout_redirect_uri", oidcProvider.PostLogoutRedirectURI) + endSessionQuery.Add("client_id", oidcProvider.ClientID) + endSessionUrl.RawQuery = endSessionQuery.Encode() + + oidcProvider.Endpoint.EndSessionURL = endSessionUrl.String() oidcProvider.Provider = provider oidcProvider.Verifier = provider.Verifier(&oidc.Config{ // TODO: support HS256 diff --git a/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go b/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go index ca21ed2cc..ce1e324ef 100644 --- a/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go +++ b/pkg/apiserver/authentication/identityprovider/oidc/oidc_test.go @@ -175,7 +175,7 @@ var _ = Describe("OIDC", func() { "tokenURL": fmt.Sprintf("%s/token", oidcServer.URL), "userInfoURL": fmt.Sprintf("%s/userinfo", oidcServer.URL), "jwksURL": fmt.Sprintf("%s/keys", oidcServer.URL), - "endSessionURL": fmt.Sprintf("%s/endsession", oidcServer.URL), + "endSessionURL": fmt.Sprintf("%s/endsession?client_id=kubesphere&post_logout_redirect_uri=", oidcServer.URL), }, } Expect(config).Should(Equal(expected))