Fix OIDC logout redirect uri (#6348)
* fix: oidc logout redirect uri Signed-off-by: peng wu <2030047311@qq.com> * fix: oidc unittest Signed-off-by: peng wu <2030047311@qq.com> --------- Signed-off-by: peng wu <2030047311@qq.com>
This commit is contained in:
smartcat999
@@ -13,6 +13,7 @@ import (
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/coreos/go-oidc/v3/oidc"
|
||||
|
||||
@@ -52,6 +53,10 @@ type oidcProvider struct {
|
||||
// Scope specifies optional requested permissions.
|
||||
Scopes []string `json:"scopes" yaml:"scopes"`
|
||||
|
||||
// Redirection to RP After Logout
|
||||
// See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout
|
||||
PostLogoutRedirectURI string `json:"postLogoutRedirectURI" yaml:"postLogoutRedirectURI"`
|
||||
|
||||
// GetUserInfo uses the userinfo endpoint to get additional claims for the token.
|
||||
// This is especially useful where upstreams return "thin" id tokens
|
||||
// See also, https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
|
||||
@@ -153,6 +158,17 @@ func (f *oidcProviderFactory) Create(opts options.DynamicOptions) (identityprovi
|
||||
oidcProvider.Endpoint.UserInfoURL, _ = providerJSON["userinfo_endpoint"].(string)
|
||||
oidcProvider.Endpoint.JWKSURL, _ = providerJSON["jwks_uri"].(string)
|
||||
oidcProvider.Endpoint.EndSessionURL, _ = providerJSON["end_session_endpoint"].(string)
|
||||
|
||||
endSessionUrl, err := url.Parse(oidcProvider.Endpoint.EndSessionURL)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse end session url: %v", err)
|
||||
}
|
||||
endSessionQuery := endSessionUrl.Query()
|
||||
endSessionQuery.Add("post_logout_redirect_uri", oidcProvider.PostLogoutRedirectURI)
|
||||
endSessionQuery.Add("client_id", oidcProvider.ClientID)
|
||||
endSessionUrl.RawQuery = endSessionQuery.Encode()
|
||||
|
||||
oidcProvider.Endpoint.EndSessionURL = endSessionUrl.String()
|
||||
oidcProvider.Provider = provider
|
||||
oidcProvider.Verifier = provider.Verifier(&oidc.Config{
|
||||
// TODO: support HS256
|
||||
|
||||
@@ -175,7 +175,7 @@ var _ = Describe("OIDC", func() {
|
||||
"tokenURL": fmt.Sprintf("%s/token", oidcServer.URL),
|
||||
"userInfoURL": fmt.Sprintf("%s/userinfo", oidcServer.URL),
|
||||
"jwksURL": fmt.Sprintf("%s/keys", oidcServer.URL),
|
||||
"endSessionURL": fmt.Sprintf("%s/endsession", oidcServer.URL),
|
||||
"endSessionURL": fmt.Sprintf("%s/endsession?client_id=kubesphere&post_logout_redirect_uri=", oidcServer.URL),
|
||||
},
|
||||
}
|
||||
Expect(config).Should(Equal(expected))
|
||||
|
||||
Reference in New Issue
Block a user