add allow_rp_initiated_logout config

Author: mcalinghee

crates/cli/src/sync.rs

@@ -292,6 +292,7 @@ pub async fn config_sync(
                         fetch_userinfo: provider.fetch_userinfo,
                         userinfo_signed_response_alg: provider.userinfo_signed_response_alg,
                         response_mode,
+                        allow_rp_initiated_logout: provider.allow_rp_initiated_logout,
                         additional_authorization_parameters: provider
                             .additional_authorization_parameters
                             .into_iter()

crates/config/src/sections/upstream_oauth2.rs

@@ -535,6 +535,12 @@ pub struct Provider {
     #[serde(default, skip_serializing_if = "ClaimsImports::is_default")]
     pub claims_imports: ClaimsImports,
 
+    /// Whether to allow RP-initiated logout
+    ///
+    /// Defaults to `false`.
+    #[serde(default)]
+    pub allow_rp_initiated_logout: bool,
+
     /// Additional parameters to include in the authorization request
     ///
     /// Orders of the keys are not preserved.

crates/data-model/src/upstream_oauth2/provider.rs

@@ -240,6 +240,7 @@ pub struct UpstreamOAuthProvider {
     pub created_at: DateTime<Utc>,
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,
+    pub allow_rp_initiated_logout: bool,
     pub additional_authorization_parameters: Vec<(String, String)>,
 }
 

crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs

@@ -42,6 +42,7 @@ mod test_utils {
             token_endpoint_override: None,
             userinfo_endpoint_override: None,
             jwks_uri_override: None,
+            allow_rp_initiated_logout: false,
             additional_authorization_parameters: Vec::new(),
             ui_order: 0,
         }

crates/handlers/src/upstream_oauth2/cache.rs

@@ -422,6 +422,7 @@ mod tests {
             created_at: clock.now(),
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
+            allow_rp_initiated_logout: false,
             additional_authorization_parameters: Vec::new(),
         };
 

crates/handlers/src/upstream_oauth2/cookie.rs

@@ -67,9 +67,7 @@ impl UpstreamSessions {
     }
     /// Returns the session IDs in the cookie
     pub fn session_ids(&self) -> Vec<Ulid> {
-        self.0.iter()
-        .map(|p| p.session)
-        .collect()
+        self.0.iter().map(|p| p.session).collect()
     }
 
     /// Save the upstreams sessions to the cookie jar

crates/handlers/src/upstream_oauth2/link.rs

@@ -948,6 +948,7 @@ mod tests {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_rp_initiated_logout: false,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },

crates/handlers/src/upstream_oauth2/logout.rs

@@ -5,16 +5,14 @@
 
 use mas_axum_utils::cookies::CookieJar;
 use mas_router::UrlBuilder;
-use mas_storage::{
-    upstream_oauth2::UpstreamOAuthProviderRepository, RepositoryAccess
-};
+use mas_storage::{RepositoryAccess, upstream_oauth2::UpstreamOAuthProviderRepository};
 use serde::{Deserialize, Serialize};
-use tracing::{info, error};
-use url::Url;
-use crate::impl_from_error_for_route;
 use thiserror::Error;
+use tracing::{error, warn};
+use url::Url;
 
 use super::UpstreamSessionsCookie;
+use crate::impl_from_error_for_route;
 
 #[derive(Serialize, Deserialize)]
 struct LogoutToken {
@@ -26,7 +24,6 @@ struct LogoutToken {
 pub struct UpstreamLogoutInfo {
     /// Collection of logout endpoints that the user needs to be redirected to
     pub logout_endpoints: String,
-    
     /// Optional post-logout redirect URI to come back to our app
     pub post_logout_redirect_uri: Option<String>,
 }
@@ -60,87 +57,92 @@ impl From<reqwest::Error> for RouteError {
 ///
 /// * `repo`: The repository to use
 /// * `url_builder`: URL builder for constructing redirect URIs
-/// * `session`: The browser session to log out
-/// * `grant_id`: Optional grant ID to use for generating id_token_hint
-/// 
+/// * `cookie_jar`: Cookie from user's browser session
+///
 /// # Returns
 ///
 /// Information about upstream logout endpoints the user should be redirected to
 ///
 /// # Errors
 ///
-/// Returns a RouteError if there's an issue accessing the repository
+/// Returns a `RouteError` if there's an issue accessing the repository
 pub async fn get_rp_initiated_logout_endpoints<E>(
     url_builder: &UrlBuilder,
     repo: &mut impl RepositoryAccess<Error = E>,
     cookie_jar: &CookieJar,
-) -> Result<UpstreamLogoutInfo, RouteError> where RouteError: std::convert::From<E>
+) -> Result<UpstreamLogoutInfo, RouteError>
+where
+    RouteError: std::convert::From<E>,
 {
     let mut result: UpstreamLogoutInfo = UpstreamLogoutInfo::default();
-    
     // Set the post-logout redirect URI to our app's logout completion page
     let post_logout_redirect_uri = url_builder
         .absolute_url_for(&mas_router::Login::default())
         .to_string();
     result.post_logout_redirect_uri = Some(post_logout_redirect_uri.clone());
 
-    let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar);
-    
+    let sessions_cookie = UpstreamSessionsCookie::load(cookie_jar);
     // Standard location for OIDC end session endpoint
     let session_ids = sessions_cookie.session_ids();
     if session_ids.is_empty() {
         return Ok(result);
-    }   
-    // We only support the first upstrea session at a time for now
-    let upstream_session_id = session_ids[0];
-    let upstream_session = repo
-        .upstream_oauth_session()
-        .lookup(upstream_session_id)
-        .await?
-        .ok_or(RouteError::SessionNotFound)?;
+    }
+    // We only support the first upstream session
+    let mut provider = None;
+    let mut upstream_session = None;
+    for session_id in session_ids {
+        // Get the session and assign its value, wrapped in Some
+        let session = repo
+            .upstream_oauth_session()
+            .lookup(session_id)
+            .await?
+            .ok_or(RouteError::SessionNotFound)?;
+        // Get the provider and assign its value, wrapped in Some
+        let prov = repo
+            .upstream_oauth_provider()
+            .lookup(session.provider_id)
+            .await?
+            .ok_or(RouteError::ProviderNotFound)?;
 
-    let provider = repo.upstream_oauth_provider()
-        .lookup(upstream_session.provider_id)
-        .await?
-        .ok_or(RouteError::ProviderNotFound)?;
+        if prov.allow_rp_initiated_logout {
+            upstream_session = Some(session);
+            provider = Some(prov);
+            break;
+        }
+    }
 
-    // Look for end session endpoint
-    // In a real implementation, we'd have end_session_endpoint fields in the provider
-    // For now, we'll try to construct one from the issuer if available
-    if let Some(issuer) = &provider.issuer {
-        let end_session_endpoint = format!("{}/protocol/openid-connect/logout", issuer);
-        let mut logout_url = end_session_endpoint;
-        
-        // Add post_logout_redirect_uri
-        if let Some(post_uri) = &result.post_logout_redirect_uri {
-            if let Ok(mut url) = Url::parse(&logout_url) {
-                url.query_pairs_mut()
-                    .append_pair("post_logout_redirect_uri", post_uri);
-                url.query_pairs_mut()
-                    .append_pair("client_id", &provider.client_id);
-            
-                // Add id_token_hint if available
-                if upstream_session.id_token().is_some(){
+    // Check if we found a provider with allow_rp_initiated_logout
+    if let Some(provider) = provider {
+        // Look for end session endpoint
+        // In a real implementation, we'd have end_session_endpoint fields in the
+        // provider For now, we'll try to construct one from the issuer if
+        // available
+        if let Some(issuer) = &provider.issuer {
+            let end_session_endpoint = format!("{issuer}/protocol/openid-connect/logout");
+            let mut logout_url = end_session_endpoint;
+            // Add post_logout_redirect_uri
+            if let Some(post_uri) = &result.post_logout_redirect_uri {
+                if let Ok(mut url) = Url::parse(&logout_url) {
+                    url.query_pairs_mut()
+                        .append_pair("post_logout_redirect_uri", post_uri);
                     url.query_pairs_mut()
-                        .append_pair("id_token_hint", upstream_session.id_token().unwrap());
+                        .append_pair("client_id", &provider.client_id);
+                    // Add id_token_hint if available
+                    if let Some(session) = &upstream_session {
+                        if let Some(id_token) = session.id_token() {
+                            url.query_pairs_mut().append_pair("id_token_hint", id_token);
+                        }
+                    }
+                    logout_url = url.to_string();
                 }
-                logout_url = url.to_string();
             }
+            result.logout_endpoints.clone_from(&logout_url);
+        } else {
+            warn!(
+                upstream_oauth_provider.id = %provider.id,
+                "Provider has no issuer defined, cannot construct RP-initiated logout URL"
+            );
         }
-        
-        info!(
-            upstream_oauth_provider.id = %provider.id,
-            logout_url = %logout_url,
-            "Adding RP-initiated logout URL based on issuer"
-        );
-        
-        result.logout_endpoints = logout_url.clone();
-    } else {
-        info!(
-            upstream_oauth_provider.id = %provider.id,
-            "Provider has no issuer defined, cannot construct RP-initiated logout URL"
-        );
     }
-    
     Ok(result)
 }

crates/handlers/src/upstream_oauth2/mod.rs

@@ -18,9 +18,9 @@ use url::Url;
 pub(crate) mod authorize;
 pub(crate) mod cache;
 pub(crate) mod callback;
-pub(crate) mod logout;
 mod cookie;
 pub(crate) mod link;
+pub(crate) mod logout;
 mod template;
 
 use self::cookie::UpstreamSessions as UpstreamSessionsCookie;

crates/handlers/src/views/login.rs

@@ -452,6 +452,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_rp_initiated_logout: false,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },
@@ -493,6 +494,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_rp_initiated_logout: false,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 1,
                 },

crates/handlers/src/views/logout.rs

@@ -15,11 +15,10 @@ use mas_axum_utils::{
 };
 use mas_router::{PostAuthAction, UrlBuilder};
 use mas_storage::{BoxClock, BoxRepository, user::BrowserSessionRepository};
+use tracing::warn;
 
 use crate::{BoundActivityTracker, upstream_oauth2::logout::get_rp_initiated_logout_endpoints};
 
-use tracing::warn;
-
 #[tracing::instrument(name = "handlers.views.logout.post", skip_all, err)]
 pub(crate) async fn post(
     clock: BoxClock,
@@ -42,24 +41,21 @@ pub(crate) async fn post(
                     .record_browser_session(&clock, &session)
                     .await;
 
-                // First, get RP-initiated logout endpoints before actually finishing the session
-                match get_rp_initiated_logout_endpoints(
-                    &url_builder,
-                    &mut repo,
-                    &cookie_jar,
-                ).await {
+                // First, get RP-initiated logout endpoints before actually finishing the
+                // session
+                match get_rp_initiated_logout_endpoints(&url_builder, &mut repo, &cookie_jar).await
+                {
                     Ok(logout_info) => {
                         // If we have any RP-initiated logout endpoints, use the first one
                         if !logout_info.logout_endpoints.is_empty() {
                             upstream_logout_url = Some(logout_info.logout_endpoints.clone());
                         }
-                    },
+                    }
                     Err(e) => {
                         warn!("Failed to get RP-initiated logout endpoints: {}", e);
                         // Continue with logout even if endpoint retrieval fails
                     }
                 }
-                
                 // Now finish the session
                 repo.browser_session().finish(&clock, session).await?;
             }