Fix backend logout URL call on sign out (#3172)
Signed-off-by: Vivek Sejpal <vsejpal@gmail.com>
This commit is contained in:
Vivek Sejpal
Jan Larwig
parent
88075737a6
commit
f14f3c2b66
|
|
@ -746,6 +746,10 @@ func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
|
|||
p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
|
||||
return
|
||||
}
|
||||
// Call backend logout before clearing the session so we still have the session
|
||||
// (and id_token) available to invoke the provider's logout endpoint
|
||||
p.backendLogout(rw, req)
|
||||
|
||||
err = p.ClearSessionCookie(rw, req)
|
||||
if err != nil {
|
||||
logger.Errorf("Error clearing session cookie: %v", err)
|
||||
|
|
@ -753,8 +757,6 @@ func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
p.backendLogout(rw, req)
|
||||
|
||||
http.Redirect(rw, req, redirect, http.StatusFound)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2028,6 +2028,44 @@ func Test_noCacheHeaders(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestSignOutCallsBackendLogoutURL(t *testing.T) {
|
||||
const testIDToken = "test-id-token-12345"
|
||||
var receivedURL string
|
||||
backendLogoutServer := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
||||
receivedURL = req.URL.String()
|
||||
rw.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer backendLogoutServer.Close()
|
||||
|
||||
opts := baseTestOptions()
|
||||
opts.Providers[0].BackendLogoutURL = backendLogoutServer.URL + "/logout?id_token_hint={id_token}"
|
||||
err := validation.Validate(opts)
|
||||
require.NoError(t, err)
|
||||
|
||||
proxy, err := NewOAuthProxy(opts, func(string) bool { return true })
|
||||
require.NoError(t, err)
|
||||
|
||||
// Save a session with IDToken so backend logout can use it
|
||||
rw := httptest.NewRecorder()
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
err = proxy.sessionStore.Save(rw, req, &sessions.SessionState{
|
||||
Email: "user@example.com",
|
||||
IDToken: testIDToken,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
cookie := rw.Header().Values("Set-Cookie")[0]
|
||||
|
||||
// Hit sign_out with the session cookie; backend logout should be called before session is cleared
|
||||
signOutReq := httptest.NewRequest(http.MethodGet, "/oauth2/sign_out", nil)
|
||||
signOutReq.Header.Set("Cookie", cookie)
|
||||
rec := httptest.NewRecorder()
|
||||
proxy.ServeHTTP(rec, signOutReq)
|
||||
|
||||
assert.Equal(t, http.StatusFound, rec.Code, "sign_out should redirect")
|
||||
assert.Contains(t, receivedURL, "id_token_hint="+testIDToken,
|
||||
"backend logout URL should have been called with id_token from session")
|
||||
}
|
||||
|
||||
func baseTestOptions() *options.Options {
|
||||
opts := options.NewOptions()
|
||||
opts.Cookie.Secret = rawCookieSecret
|
||||
|
|
|
|||
Loading…
Reference in New Issue