From 0ba41e312a2cc6daec319d3f643add503e6468cf Mon Sep 17 00:00:00 2001 From: Trong Huu Nguyen Date: Fri, 21 Apr 2023 16:23:12 +0200 Subject: [PATCH] feat(handler): local logout returns 204 instead of redirect Redirecting after local logout introduces the possibility of matching a path that automatically performs login, which for a local logout means the user is automatically logged in again due to having an SSO session - which nullifies the whole logout operation. Applications that want local logout must trigger and handle the response just like any other API call. --- pkg/handler/handler.go | 8 +++----- pkg/handler/handler_test.go | 3 +-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go index 9d12d3d..09024fa 100644 --- a/pkg/handler/handler.go +++ b/pkg/handler/handler.go @@ -247,7 +247,7 @@ func (s *Standalone) logout(w http.ResponseWriter, r *http.Request, globalLogout return } - logger.Info("logout: successful local logout") + logger.Debug("logout: session deleted") } cookie.Clear(w, cookie.Session, s.GetCookieOptions(r)) @@ -257,11 +257,9 @@ func (s *Standalone) logout(w http.ResponseWriter, r *http.Request, globalLogout metrics.ObserveLogout(metrics.LogoutOperationSelfInitiated) http.Redirect(w, r, logout.SingleLogoutURL(idToken), http.StatusTemporaryRedirect) } else { - redirect := s.Client.LogoutCallback(r).PostLogoutRedirectURI() - - logger.Debugf("logout: redirecting to %s", redirect) + logger.Info("logout: successful local logout") metrics.ObserveLogout(metrics.LogoutOperationLocal) - http.Redirect(w, r, redirect, http.StatusTemporaryRedirect) + w.WriteHeader(http.StatusNoContent) } } diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go index 9df4c17..edfc5f1 100644 --- a/pkg/handler/handler_test.go +++ b/pkg/handler/handler_test.go @@ -537,8 +537,7 @@ func localLogout(t *testing.T, rpClient *http.Client, idp *mock.IdentityProvider assert.NoError(t, err) resp := get(t, rpClient, logoutURL.String()) - assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode) - assert.Equal(t, idp.Cfg.OpenID.PostLogoutRedirectURI, resp.Location.String()) + assert.Equal(t, http.StatusNoContent, resp.StatusCode) cookies := rpClient.Jar.Cookies(logoutURL) sessionCookie := getCookieFromJar(cookie.Session, cookies)