add end_session_endpoint config

Author: mcalinghee

crates/cli/src/sync.rs

@@ -293,6 +293,7 @@ pub async fn config_sync(
                         userinfo_signed_response_alg: provider.userinfo_signed_response_alg,
                         response_mode,
                         allow_rp_initiated_logout: provider.allow_rp_initiated_logout,
+                        end_session_endpoint_override: provider.end_session_endpoint,
                         additional_authorization_parameters: provider
                             .additional_authorization_parameters
                             .into_iter()

crates/config/src/sections/upstream_oauth2.rs

@@ -542,6 +542,12 @@ pub struct Provider {
     #[serde(default)]
     pub allow_rp_initiated_logout: bool,
 
+    /// The URL to use when ending a session onto the upstream provider
+    ///
+    /// Defaults to the `end_session_endpoint` provided through discovery
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub end_session_endpoint: Option<Url>,
+
     /// Additional parameters to include in the authorization request
     ///
     /// Orders of the keys are not preserved.

crates/data-model/src/upstream_oauth2/provider.rs

@@ -241,6 +241,7 @@ pub struct UpstreamOAuthProvider {
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,
     pub allow_rp_initiated_logout: bool,
+    pub end_session_endpoint_override: Option<Url>,
     pub additional_authorization_parameters: Vec<(String, String)>,
 }
 

crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs

@@ -47,6 +47,7 @@ mod test_utils {
             userinfo_endpoint_override: None,
             jwks_uri_override: None,
             allow_rp_initiated_logout: false,
+            end_session_endpoint_override: None,
             additional_authorization_parameters: Vec::new(),
             ui_order: 0,
         }

crates/handlers/src/upstream_oauth2/cache.rs

@@ -121,6 +121,18 @@ impl<'a> LazyProviderInfos<'a> {
         Ok(self.load().await?.userinfo_endpoint())
     }
 
+    /// Get the end session endpoint for the provider.
+    ///
+    /// Uses [`UpstreamOAuthProvider.end_session_endpoint_override`] if set,
+    /// otherwise uses the one from discovery.
+    pub async fn end_session_endpoint(&mut self) -> Result<&Url, DiscoveryError> {
+        if let Some(end_session_endpoint) = &self.provider.end_session_endpoint_override {
+            return Ok(end_session_endpoint);
+        }
+
+        Ok(self.load().await?.end_session_endpoint())
+    }
+
     /// Get the PKCE methods supported by the provider.
     ///
     /// If the mode is set to auto, it will use the ones from discovery,
@@ -423,6 +435,7 @@ mod tests {
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
             allow_rp_initiated_logout: false,
+            end_session_endpoint_override: None,
             additional_authorization_parameters: Vec::new(),
         };
 

crates/handlers/src/upstream_oauth2/link.rs

@@ -976,6 +976,7 @@ mod tests {
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
                     allow_rp_initiated_logout: false,
+                    end_session_endpoint_override: None,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },

crates/handlers/src/upstream_oauth2/logout.rs

@@ -9,9 +9,9 @@ use mas_storage::{RepositoryAccess, upstream_oauth2::UpstreamOAuthProviderReposi
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 use tracing::error;
-use url::Url;
 
-use crate::impl_from_error_for_route;
+use super::cache::LazyProviderInfos;
+use crate::{MetadataCache, impl_from_error_for_route};
 
 #[derive(Serialize, Deserialize)]
 struct LogoutToken {
@@ -40,6 +40,7 @@ pub enum RouteError {
 }
 
 impl_from_error_for_route!(mas_storage::RepositoryError);
+impl_from_error_for_route!(mas_oidc_client::error::DiscoveryError);
 
 impl From<reqwest::Error> for RouteError {
     fn from(err: reqwest::Error) -> Self {
@@ -67,14 +68,15 @@ impl From<reqwest::Error> for RouteError {
 /// Returns a `RouteError` if there's an issue accessing the repository
 pub async fn get_rp_initiated_logout_endpoints<E>(
     url_builder: &UrlBuilder,
+    metadata_cache: &MetadataCache,
+    client: &reqwest::Client,
     repo: &mut impl RepositoryAccess<Error = E>,
     browser_session: &BrowserSession,
 ) -> Result<UpstreamLogoutInfo, RouteError>
 where
     RouteError: std::convert::From<E>,
 {
     let mut result: UpstreamLogoutInfo = UpstreamLogoutInfo::default();
-    // Set the post-logout redirect URI to our app's logout completion page
     let post_logout_redirect_uri = url_builder
         .absolute_url_for(&mas_router::Login::default())
         .to_string();
@@ -93,42 +95,39 @@ where
         })?
         .ok_or(RouteError::SessionNotFound)?;
 
-    // Get the session and assign its value, wrapped in Some
     let upstream_session = repo
         .upstream_oauth_session()
         .lookup(upstream_oauth2_session_id)
         .await?
         .ok_or(RouteError::SessionNotFound)?;
-    // Get the provider and assign its value, wrapped in Some
+
     let provider = repo
         .upstream_oauth_provider()
         .lookup(upstream_session.provider_id)
         .await?
         .filter(|provider| provider.allow_rp_initiated_logout)
         .ok_or(RouteError::ProviderNotFound)?;
 
-    // Look for end session endpoint
-    // In a real implementation, we'd have end_session_endpoint fields in the
-    // provider For now, we'll try to construct one from the issuer if
-    // available
-    if let Some(issuer) = &provider.issuer {
-        let end_session_endpoint = format!("{issuer}/protocol/openid-connect/logout");
-        let mut logout_url = end_session_endpoint;
-        // Add post_logout_redirect_uri
-        if let Some(post_uri) = &result.post_logout_redirect_uri {
-            if let Ok(mut url) = Url::parse(&logout_url) {
-                url.query_pairs_mut()
-                    .append_pair("post_logout_redirect_uri", post_uri);
-                url.query_pairs_mut()
-                    .append_pair("client_id", &provider.client_id);
-                // Add id_token_hint if available
-                if let Some(id_token) = upstream_session.id_token() {
-                    url.query_pairs_mut().append_pair("id_token_hint", id_token);
-                }
-                logout_url = url.to_string();
-            }
+    // Add post_logout_redirect_uri
+    if let Some(post_uri) = &result.post_logout_redirect_uri {
+        let mut lazy_metadata = LazyProviderInfos::new(metadata_cache, &provider, client);
+        let mut end_session_url = lazy_metadata.end_session_endpoint().await?.clone();
+        end_session_url
+            .query_pairs_mut()
+            .append_pair("post_logout_redirect_uri", post_uri);
+        end_session_url
+            .query_pairs_mut()
+            .append_pair("client_id", &provider.client_id);
+        // Add id_token_hint if available
+        if let Some(id_token) = upstream_session.id_token() {
+            end_session_url
+                .query_pairs_mut()
+                .append_pair("id_token_hint", id_token);
         }
-        result.logout_endpoints.clone_from(&logout_url);
+        result
+            .logout_endpoints
+            .clone_from(&end_session_url.to_string());
     }
+
     Ok(result)
 }

crates/handlers/src/views/login.rs

@@ -495,6 +495,7 @@ mod test {
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
                     allow_rp_initiated_logout: false,
+                    end_session_endpoint_override: None,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },
@@ -537,6 +538,7 @@ mod test {
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
                     allow_rp_initiated_logout: false,
+                    end_session_endpoint_override: None,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 1,
                 },

crates/handlers/src/views/logout.rs

@@ -17,14 +17,18 @@ use mas_router::{PostAuthAction, UrlBuilder};
 use mas_storage::{BoxClock, BoxRepository, user::BrowserSessionRepository};
 use tracing::warn;
 
-use crate::{BoundActivityTracker, upstream_oauth2::logout::get_rp_initiated_logout_endpoints};
+use crate::{
+    BoundActivityTracker, MetadataCache, upstream_oauth2::logout::get_rp_initiated_logout_endpoints,
+};
 
 #[tracing::instrument(name = "handlers.views.logout.post", skip_all, err)]
 pub(crate) async fn post(
     clock: BoxClock,
     mut repo: BoxRepository,
     cookie_jar: CookieJar,
     State(url_builder): State<UrlBuilder>,
+    State(metadata_cache): State<MetadataCache>,
+    State(client): State<reqwest::Client>,
     activity_tracker: BoundActivityTracker,
     Form(form): Form<ProtectedForm<Option<PostAuthAction>>>,
 ) -> Result<impl IntoResponse, FancyError> {
@@ -43,9 +47,15 @@ pub(crate) async fn post(
 
                 // First, get RP-initiated logout endpoints before actually finishing the
                 // session
-                // match get_rp_initiated_logout_endpoints(&url_builder, &mut repo,
-                // &cookie_jar).await
-                match get_rp_initiated_logout_endpoints(&url_builder, &mut repo, &session).await {
+                match get_rp_initiated_logout_endpoints(
+                    &url_builder,
+                    &metadata_cache,
+                    &client,
+                    &mut repo,
+                    &session,
+                )
+                .await
+                {
                     Ok(logout_info) => {
                         // If we have any RP-initiated logout endpoints, use the first one
                         if !logout_info.logout_endpoints.is_empty() {

crates/oauth2-types/src/oidc.rs

@@ -968,6 +968,15 @@ impl VerifiedProviderMetadata {
         }
     }
 
+    /// URL of the authorization server's end session endpoint.
+    #[must_use]
+    pub fn end_session_endpoint(&self) -> &Url {
+        match &self.end_session_endpoint {
+            Some(u) => u,
+            None => unreachable!(),
+        }
+    }
+
     /// URL of the authorization server's JWK Set document.
     #[must_use]
     pub fn jwks_uri(&self) -> &Url {