Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add redirect_after_logout_uri for ODIC that do not have an end_session_endpoint #10653

Merged
merged 13 commits into from
Dec 25, 2023
Merged

fix: add redirect_after_logout_uri for ODIC that do not have an end_session_endpoint #10653

merged 13 commits into from
Dec 25, 2023

Conversation

luoluoyuyu
Copy link
Contributor

@luoluoyuyu luoluoyuyu commented Dec 15, 2023
edited
Loading

Description

Fixes #6791

Problem Analysis

When the openid service does not support end_session_endpoint, the ODIC logout fails to redirect to post_logout_redirect_uri. this issue is caused by the OpenID standard. end_session_endpoint does not necessarily need to be implemented.

Solution

Use the redirect_after_logout_uri defined in lua-resty-openidc for redirection when the OpenID service does not support end_session_endpoint.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@Sn0rt
Copy link
Contributor

Sn0rt commented Dec 15, 2023

  1. new test for cover
  2. user doc

@luoluoyuyu
Copy link
Contributor Author

luoluoyuyu commented Dec 15, 2023
edited
Loading

user doc

It's not necessary to add documentation, this PR is just to support services like Google that don't provide the end_session_endpoint configuration, and OIDC can also correctly using the post_logout_redirect_uri configuration.

@luoluoyuyu
Copy link
Contributor Author

new test for cover

Auth0 now supports end_session_endpoint, now only found google openid service does not support end_session_endpoint, if you want to add test cases for google need to google account password, I think add test cases is not appropriate.
Here is the OpenID service that supports end_session_endpoint that I have organized:
Okta: https://developer.okta.com/docs/reference/api/oidc/#response-properties-10
Azure: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#single-sign-out
Auth0: https://auth0.com/docs/authenticate/login/logout/log-users-out-of-auth0#endpoint-discovery
Curity: https://curity.io/resources/learn/openid-connect-logout/#rp-initiated-logout
Connect2id: https://connect2id.com/products/nimbus-oauth-openid-connect-sdk#specs
Gluu: https://gluu.org/docs/gluu-server/4.3/api-guide/openid-connect-api/#openid-connect-end-session-api
IdentityServer: https://docs.duendesoftware.com/identityserver/v6/ui/logout/session_cleanup/#prompting-the-user-to-logout

moonming
moonming requested changes Dec 21, 2023
View reviewed changes
Copy link
Member

@moonming moonming left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can not merge without test cases

moonming
moonming requested changes Dec 22, 2023
View reviewed changes
t/plugin/openid-connect.t Outdated



=== TEST 35: Check whether outh0 can redirect normally using post_logout_redirect_uri configuration
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

auth0

shreemaan-abhishek
shreemaan-abhishek approved these changes Dec 22, 2023
View reviewed changes
Copy link
Contributor

@shreemaan-abhishek shreemaan-abhishek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great job

@monkeyDluffy6017 monkeyDluffy6017 merged commit 129844c into apache:master Dec 25, 2023
45 checks passed
@kayx23
Copy link
Member

kayx23 commented Dec 27, 2023

@luoluoyuyu a question for the below:

image

What if someone configures both post_logout_redirect_uri and redirect_after_logout_uri?

https://github.com/zmartzone/lua-resty-openidc/blob/master/tests/spec/logout_spec.lua#L264-L299

@luoluoyuyu
Copy link
Contributor Author

luoluoyuyu commented Dec 28, 2023
edited
Loading

@luoluoyuyu a question for the below:

image

What if someone configures both post_logout_redirect_uri and redirect_after_logout_uri?

https://github.com/zmartzone/lua-resty-openidc/blob/master/tests/spec/logout_spec.lua#L264-L299

Hi @kayx23 'redirect_after_logout_uri' is not defined in the schema. If 'redirect_after_logout_uri' is configured, an error will occur. apisix/apisix/plugins/openid-connect.lua at master · apache/apisix (github.com)

@kayx23
Copy link
Member

kayx23 commented Jan 2, 2024

If 'redirect_after_logout_uri' is configured, an error will occur.

Not really true as previously shown.

image

However I will remove redirect_after_logout_uri from the new doc given this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moonming moonming moonming approved these changes

@kayx23 kayx23 kayx23 approved these changes

@shreemaan-abhishek shreemaan-abhishek shreemaan-abhishek approved these changes

@monkeyDluffy6017 monkeyDluffy6017 monkeyDluffy6017 left review comments

Assignees
No one assigned
Labels
approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: openid-connect plugin doesn't redirect after logout
6 participants
@luoluoyuyu @Sn0rt @kayx23 @monkeyDluffy6017 @moonming @shreemaan-abhishek