outposts/proxy: always redirect to session-end interface on sign_out

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-07-01 15:48:56 +02:00
parent 6064a481fb
commit 4709dca33c
4 changed files with 39 additions and 32 deletions
--- a/outpost/pkg/proxy/api.go
+++ b/outpost/pkg/proxy/api.go
@ -29,9 +29,10 @@ func (s *Server) bundleProviders(providers []api.ProxyOutpostConfig) []*provider
 			log.WithError(err).Warning("Failed to parse URL, skipping provider")
 		}
 		bundles[idx] = &providerBundle{
-			s:    s,
-			Host: externalHost.Host,
-			log:  log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name),
+			s:             s,
+			Host:          externalHost.Host,
+			log:           log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name),
+			endSessionUrl: provider.OidcConfiguration.EndSessionEndpoint,
 		}
 		bundles[idx].Build(provider)
 	}
--- a/outpost/pkg/proxy/api_bundle.go
+++ b/outpost/pkg/proxy/api_bundle.go
@ -25,6 +25,8 @@ type providerBundle struct {
 	proxy *OAuthProxy
 	Host  string

+	endSessionUrl string
+
 	cert *tls.Certificate

 	log *log.Entry
@ -155,6 +157,7 @@ func (pb *providerBundle) Build(provider api.ProxyOutpostConfig) {
 		oauthproxy.BasicAuthPasswordAttribute = *provider.BasicAuthPasswordAttribute
 	}

+	oauthproxy.endSessionEndpoint = pb.endSessionUrl
 	oauthproxy.ExternalHost = pb.Host

 	pb.proxy = oauthproxy
--- a/outpost/pkg/proxy/proxy.go
+++ b/outpost/pkg/proxy/proxy.go
@ -65,31 +65,33 @@ type OAuthProxy struct {
 	AuthOnlyPath      string
 	UserInfoPath      string

+	endSessionEndpoint         string
 	mode                       api.ProxyMode
-	redirectURL                *url.URL // the url to receive requests at
-	whitelistDomains           []string
-	provider                   providers.Provider
-	sessionStore               sessionsapi.SessionStore
-	ProxyPrefix                string
-	serveMux                   http.Handler
-	SetXAuthRequest            bool
-	SetBasicAuth               bool
-	PassUserHeaders            bool
 	BasicAuthUserAttribute     string
 	BasicAuthPasswordAttribute string
 	ExternalHost               string
-	PassAccessToken            bool
-	SetAuthorization           bool
-	PassAuthorization          bool
-	PreferEmailToUser          bool
-	skipAuthRegex              []string
-	skipAuthPreflight          bool
-	skipAuthStripHeaders       bool
-	mainJwtBearerVerifier      *oidc.IDTokenVerifier
-	extraJwtBearerVerifiers    []*oidc.IDTokenVerifier
-	compiledRegex              []*regexp.Regexp
-	templates                  *template.Template
-	realClientIPParser         ipapi.RealClientIPParser
+
+	redirectURL             *url.URL // the url to receive requests at
+	whitelistDomains        []string
+	provider                providers.Provider
+	sessionStore            sessionsapi.SessionStore
+	ProxyPrefix             string
+	serveMux                http.Handler
+	SetXAuthRequest         bool
+	SetBasicAuth            bool
+	PassUserHeaders         bool
+	PassAccessToken         bool
+	SetAuthorization        bool
+	PassAuthorization       bool
+	PreferEmailToUser       bool
+	skipAuthRegex           []string
+	skipAuthPreflight       bool
+	skipAuthStripHeaders    bool
+	mainJwtBearerVerifier   *oidc.IDTokenVerifier
+	extraJwtBearerVerifiers []*oidc.IDTokenVerifier
+	compiledRegex           []*regexp.Regexp
+	templates               *template.Template
+	realClientIPParser      ipapi.RealClientIPParser

 	sessionChain alice.Chain

@ -285,19 +287,13 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {

 // SignOut sends a response to clear the authentication cookie
 func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
-	redirect, err := p.GetRedirect(req)
-	if err != nil {
-		p.logger.Errorf("Error obtaining redirect: %v", err)
-		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
-		return
-	}
-	err = p.ClearSessionCookie(rw, req)
+	err := p.ClearSessionCookie(rw, req)
 	if err != nil {
 		p.logger.Errorf("Error clearing session cookie: %v", err)
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
 		return
 	}
-	http.Redirect(rw, req, redirect, http.StatusFound)
+	http.Redirect(rw, req, p.endSessionEndpoint, http.StatusFound)
 }

 // AuthenticateOnly checks whether the user is currently logged in
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@ -119,6 +119,13 @@ class TestProviderProxy(SeleniumTestCase):
        self.assertIn("X-Forwarded-Preferred-Username: akadmin", full_body_text)
        self.assertIn("X-Foo: bar", full_body_text)

+        self.driver.get("http://localhost:4180/akprox/sign_out")
+        sleep(2)
+        full_body_text = self.driver.find_element(
+            By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl"
+        ).text
+        self.assertIn("You've logged out of proxy.", full_body_text)
+

@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestProviderProxyConnect(ChannelsLiveServerTestCase):