OIDC logout: use a fixed post logout redirect uri (#1276)

Co-authored-by: Jonathan Perret <j-github@jonathanperret.net>
2024-10-27 20:44:07 +00:00 · 2024-10-22 18:03:11 +02:00 · 2024-10-22 18:03:11 +02:00 · c783a4f75e
commit c783a4f75e
parent c27f832851
3 changed files with 18 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -94,3 +94,6 @@ xunit.xml
 /docker-compose-examples/*/persist
 /docker-compose-examples/*/secrets
 /docker-compose-examples/grist-traefik-oidc-auth/.env
+
+# Sample grist documents
+/samples/
--- a/app/server/lib/OIDCConfig.ts
+++ b/app/server/lib/OIDCConfig.ts
@ -79,6 +79,7 @@ import { SendAppPageFunction } from 'app/server/lib/sendAppPage';
 import { StringUnionError } from 'app/common/StringUnion';
 import { EnabledProtection, EnabledProtectionString, ProtectionsManager } from './oidc/Protections';
 import { SessionObj } from './BrowserSession';
+import { getOriginUrl } from './requestUtils';

 const CALLBACK_URL = '/oauth2/callback';

@ -278,18 +279,21 @@ export class OIDCConfig {
    });
  }

-  public async getLogoutRedirectUrl(req: express.Request, redirectUrl: URL): Promise<string> {
+  public async getLogoutRedirectUrl(req: express.Request): Promise<string> {
    const session: SessionObj|undefined = (req as RequestWithLogin).session;
+    const stableRedirectUri = new URL('/signed-out', getOriginUrl(req)).href;
    // For IdPs that don't have end_session_endpoint, we just redirect to the logout page.
    if (this._skipEndSessionEndpoint) {
-      return redirectUrl.href;
+      // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
+      return stableRedirectUri;
    }
    // Alternatively, we could use a logout URL specified by configuration.
    if (this._endSessionEndpoint) {
      return this._endSessionEndpoint;
    }
    return this._client.endSessionUrl({
-      post_logout_redirect_uri: redirectUrl.href,
+      // Ignore redirectUrl because OIDC providers don't allow variable redirect URIs
+      post_logout_redirect_uri: stableRedirectUri,
      id_token_hint: session?.oidc?.idToken,
    });
  }
--- a/test/server/lib/OIDCConfig.ts
+++ b/test/server/lib/OIDCConfig.ts
@ -752,7 +752,7 @@ describe('OIDCConfig', () => {
  });

  describe('getLogoutRedirectUrl', () => {
-    const REDIRECT_URL = new URL('http://localhost:8484/docs/signed-out');
+    const STABLE_LOGOUT_URL = new URL('http://localhost:8484/signed-out');
    const URL_RETURNED_BY_CLIENT = 'http://localhost:8484/logout_url_from_issuer';
    const ENV_VALUE_GRIST_OIDC_IDP_END_SESSION_ENDPOINT = 'http://localhost:8484/logout';
    const FAKE_SESSION = {
@ -767,7 +767,7 @@ describe('OIDCConfig', () => {
        env: {
          GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true',
        },
-        expectedUrl: REDIRECT_URL.href,
+        expectedUrl: STABLE_LOGOUT_URL.href,
      }, {
        itMsg: 'should use the GRIST_OIDC_IDP_END_SESSION_ENDPOINT when it is set',
        env: {
@ -778,14 +778,14 @@ describe('OIDCConfig', () => {
        itMsg: 'should call the end session endpoint with the expected parameters',
        expectedUrl: URL_RETURNED_BY_CLIENT,
        expectedLogoutParams: {
-          post_logout_redirect_uri: REDIRECT_URL.href,
+          post_logout_redirect_uri: STABLE_LOGOUT_URL.href,
          id_token_hint: FAKE_SESSION.oidc!.idToken,
        }
      }, {
        itMsg: 'should call the end session endpoint with no idToken if session is missing',
        expectedUrl: URL_RETURNED_BY_CLIENT,
        expectedLogoutParams: {
-          post_logout_redirect_uri: REDIRECT_URL.href,
+          post_logout_redirect_uri: STABLE_LOGOUT_URL.href,
          id_token_hint: undefined,
        },
        session: null
@ -798,9 +798,12 @@ describe('OIDCConfig', () => {
        clientStub.endSessionUrl.returns(URL_RETURNED_BY_CLIENT);
        const config = await OIDCConfigStubbed.buildWithStub(clientStub.asClient());
        const req = {
+          headers: {
+            host: STABLE_LOGOUT_URL.host
+          },
          session: 'session' in ctx ? ctx.session : FAKE_SESSION
        } as unknown as RequestWithLogin;
-        const url = await config.getLogoutRedirectUrl(req, REDIRECT_URL);
+        const url = await config.getLogoutRedirectUrl(req);
        assert.equal(url, ctx.expectedUrl);
        if (ctx.expectedLogoutParams) {
          assert.isTrue(clientStub.endSessionUrl.calledOnce);