Merge branch 'fix/oidc-logout' into development

ssddanbrown · ssddanbrown · commit cc10d1ddfc65 · 2023-12-06T12:14:43.000Z
diff --git a/.env.example.complete b/.env.example.complete
@@ -274,6 +274,10 @@ OIDC_GROUPS_CLAIM=groups
 OIDC_REMOVE_FROM_GROUPS=false
 OIDC_EXTERNAL_ID_CLAIM=sub
 
+# OIDC Logout Feature: Its value should be value of end_session_endpoint from <issuer>/.well-known/openid-configuration 
+OIDC_END_SESSION_ENDPOINT=null
+
+
 # Disable default third-party services such as Gravatar and Draw.IO
 # Service-specific options will override this option
 DISABLE_EXTERNAL_SERVICES=false
diff --git a/app/Access/Controllers/OidcController.php b/app/Access/Controllers/OidcController.php
@@ -63,4 +63,18 @@ public function callback(Request $request)
 
         return redirect()->intended();
     }
+
+    /**
+     * OIDC Logout Feature: Start the authorization logout flow via OIDC.
+     */
+    public function logout()
+    {
+        try {
+            return $this->oidcService->logout();
+        } catch (OidcException $exception) {
+            $this->showErrorNotification($exception->getMessage());
+            return redirect('/logout');
+        }
+    }
+
 }
diff --git a/app/Access/Oidc/OidcService.php b/app/Access/Oidc/OidcService.php
@@ -217,6 +217,12 @@ protected function processAccessTokenCallback(OidcAccessToken $accessToken, Oidc
             $settings->keys,
         );
 
+        // OIDC Logout Feature: Temporarily save token in session 
+        $access_token_for_logout = $idTokenText;
+        session()->put("oidctoken", $access_token_for_logout);
+
+
+
         $returnClaims = Theme::dispatch(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, $idToken->getAllClaims(), [
             'access_token' => $accessToken->getToken(),
             'expires_in' => $accessToken->getExpires(),
@@ -284,4 +290,37 @@ protected function shouldSyncGroups(): bool
     {
         return $this->config()['user_to_groups'] !== false;
     }
+
+
+    /**
+     * OIDC Logout Feature: Initiate a logout flow.
+     *
+     * @throws OidcException
+     *
+     * @return string
+     */
+    public function logout() {
+
+        $config = $this->config();
+        $app_url = env('APP_URL', '');
+        $end_session_endpoint = $config["end_session_endpoint"];
+
+        $oidctoken = session()->get("oidctoken");
+        session()->invalidate();
+
+        if (str_contains($app_url, 'https://')) { 
+             $protocol = 'https://';
+        } else {
+             $protocol = 'http://';
+        }
+
+
+
+        return redirect($end_session_endpoint.'?id_token_hint='.$oidctoken."&post_logout_redirect_uri=".$protocol.$_SERVER['HTTP_HOST']."/");
+
+
+    }
+
+
+
 }
diff --git a/app/Config/oidc.php b/app/Config/oidc.php
@@ -47,4 +47,9 @@
     'groups_claim' => env('OIDC_GROUPS_CLAIM', 'groups'),
     // When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.
     'remove_from_groups' => env('OIDC_REMOVE_FROM_GROUPS', false),
+
+    // OIDC Logout Feature: OAuth2 end_session_endpoint
+    'end_session_endpoint' => env('OIDC_END_SESSION_ENDPOINT', null),
+
 ];
+
diff --git a/resources/views/layouts/parts/header-user-menu.blade.php b/resources/views/layouts/parts/header-user-menu.blade.php
@@ -29,14 +29,28 @@
         </li>
         <li><hr></li>
         <li>
-            <form action="{{ url(config('auth.method') === 'saml2' ? '/saml2/logout' : '/logout') }}"
-                  method="post">
-                {{ csrf_field() }}
-                <button class="icon-item" data-shortcut="logout">
-                    @icon('logout')
-                    <div>{{ trans('auth.logout') }}</div>
-                </button>
-            </form>
+            <?php
+// OIDC Logout Feature: Use /oidc/logout if authentication method is oidc.
+            if (config('auth.method') === 'oidc')  {
+                ?>
+                <form action="/oidc/logout"
+                    method="get">
+                    <?php
+// OIDC Logout Feature: Use /oidc/logout if authentication method is oidc.
+                } else {
+                    ?>
+                <form action="{{ url(config('auth.method') === 'saml2' ? '/saml2/logout' : '/logout') }}"
+                      method="post">
+                        <?php
+// OIDC Logout Feature: Use /oidc/logout if authentication method is oidc.
+                    }
+                    ?>
+                    {{ csrf_field() }}
+                    <button class="icon-item" data-shortcut="logout">
+                        @icon('logout')
+                        <div>{{ trans('auth.logout') }}</div>
+                    </button>
+                </form>
         </li>
     </ul>
 </div>
diff --git a/routes/web.php b/routes/web.php
@@ -332,6 +332,8 @@
 // OIDC routes
 Route::post('/oidc/login', [AccessControllers\OidcController::class, 'login']);
 Route::get('/oidc/callback', [AccessControllers\OidcController::class, 'callback']);
+// OIDC Logout Feature: Added to cater OIDC logout
+Route::get('/oidc/logout', [AccessControllers\OidcController::class, 'logout']);
 
 // User invitation routes
 Route::get('/register/invite/{token}', [AccessControllers\UserInviteController::class, 'showSetPassword']);
