Provide backchannel SSO logout endpoint #33

kontron · Sep 11, 2024 · f7748e0 · f7748e0
1 parent 840477d
commit f7748e0
Show file tree

Hide file tree

Showing 7 changed files with 100 additions and 4 deletions.
diff --git a/app/views/settings/_oauth_settings.html.erb b/app/views/settings/_oauth_settings.html.erb
@@ -127,8 +127,18 @@
       <label><%= l(:oauth_update_login) %></label>
       <%= check_box_tag 'settings[update_login]', true, @settings[:update_login] %>
       <em class="info">
-        <%= l(:oauth_update_login_info)%>
-        <%= l(:label_default)%>: <%= l(:general_text_No) %>
+        <%= l(:oauth_update_login_info) %>
+        <br>
+        <%= l(:label_default) %>: <%= l(:general_text_No) %>
+      </em>
+    </p>
+    <p>
+      <label><%= l(:oauth_logout) %></label>
+      <%= check_box_tag 'settings[oauth_logout]', true, @settings[:oauth_logout] %>
+      <em class="info">
+        <%= l(:oauth_logout_info) %>
+        <br>
+        <%= l(:label_default) %>: <%= l(:general_text_No) %>
       </em>
     </p>
     <% style = %w(Custom).exclude?(@settings[:oauth_name]) ? 'display: none' : 'display: block' %>
@@ -154,6 +164,11 @@
         <%= text_field_tag 'settings[custom_profile_endpoint]', @settings[:custom_profile_endpoint], size: 80 %>
         <em class="info"><%= l(:oauth_custom_profile_endpoint_info) %></em>
       </p>
+      <p>
+        <label><%= l(:oauth_custom_logout_endpoint) %></label>
+        <%= text_field_tag 'settings[custom_logout_endpoint]', @settings[:custom_logout_endpoint], size: 80 %>
+        <em class="info"><%= l(:oauth_custom_logout_endpoint_info) %></em>
+      </p>
       <p>
         <label><%= l(:oauth_custom_scope) %></label>
         <%= text_field_tag 'settings[custom_scope]', @settings[:custom_scope], size: 40 %>

diff --git a/config/locales/cs.yml b/config/locales/cs.yml
@@ -55,3 +55,7 @@ cs:
   oauth_custom_lastname_field: Pole příjmení u poskytovatele
   oauth_update_login: Aktualizovat login
   oauth_update_login_info: Aktualizovat login uživatele po úspěšném přihlášení.
+  oauth_logout: OAuth odhlášení
+  oauth_logout_info: Odhlásit se také od poskytovatele OAuth po dohlášení z Redminu
+  oauth_custom_logout_endpoint: Endpoint odhlášení
+  oauth_custom_logout_endpoint_info: Endpoint pro odhlášení od poskytovatele
diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -55,3 +55,7 @@ de:
   oauth_custom_lastname_field: Nachname-Feld des Anbieters
   oauth_update_login: Login aktualizieren
   oauth_update_login_info: Aktualizieren Login des Benutzers nach einer erfolgreichen Anmeldung.
+  oauth_logout: OAuth-Abmeldung
+  oauth_logout_info: Abmelden auch vom OAuth-Anbieter nach der Redmine-Abmeldung
+  oauth_custom_logout_endpoint: Abmeldung-Endpoint
+  oauth_custom_logout_endpoint_info: Abmeldung-Endpoint für Abmeldung vom OAuth-Anbieter
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -54,4 +54,8 @@ en:
   oauth_custom_firstname_field: Provider's firstname field
   oauth_custom_lastname_field: Provider's lastname field
   oauth_update_login: Update login
-  oauth_update_login_info: Update the user's login after a successful login.
+  oauth_update_login_info: Update the user's login after a successful login
+  oauth_logout: OAuth logout
+  oauth_logout_info: Log out from the OAuth provider too after Redmine log out
+  oauth_custom_logout_endpoint: Logout endpoint
+  oauth_custom_logout_endpoint_info: Application Logout endpoint
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
@@ -55,3 +55,7 @@ fr:
   oauth_custom_lastname_field: Provider's lastname field
   oauth_update_login: Update login
   oauth_update_login_info: Update the user's login after a successful login.
+  oauth_logout: OAuth logout
+  oauth_logout_info: Log out from the OAuth provider too after Redmine log out
+  oauth_custom_logout_endpoint: Logout endpoint
+  oauth_custom_logout_endpoint_info: Application Logout endpoint
diff --git a/init.rb b/init.rb
@@ -22,6 +22,7 @@
 require File.expand_path('lib/redmine_oauth/hooks/views/base_view_hooks', __dir__)
 require File.expand_path('lib/redmine_oauth/hooks/views/login_view_hooks', __dir__)
 require File.expand_path('lib/redmine_oauth/patches/settings_controller_patch', __dir__)
+require File.expand_path('lib/redmine_oauth/patches/account_controller_patch', __dir__)
 
 Redmine::Plugin.register :redmine_oauth do
   name 'Redmine OAuth plugin'
@@ -52,6 +53,8 @@
     self_registration: '0',
     custom_firstname_field: 'given_name',
     custom_lastname_field: 'family_name',
-    update_login: nil
+    update_login: nil,
+    oauth_logout: nil,
+    custom_logout_endpoint: ''
   }, partial: 'settings/oauth_settings'
 end
diff --git a/lib/redmine_oauth/patches/account_controller_patch.rb b/lib/redmine_oauth/patches/account_controller_patch.rb
@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+# Redmine plugin OAuth
+#
+# Karel Pičman <[email protected]>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+module RedmineOauth
+  module Patches
+    # AccountController patch
+    module AccountControllerPatch
+      ################################################################################################################
+      # Overridden methods
+      #
+      def logout
+        return super if User.current.anonymous? || !request.post? || Setting.plugin_redmine_oauth[:oauth_logout].blank?
+
+        site = Setting.plugin_redmine_oauth[:client_id]
+        id = Setting.plugin_redmine_oauth[:client_id]
+        url = signin_url
+        case Setting.plugin_redmine_oauth[:oauth_name]
+        when 'Azure AD'
+          logout_user
+          redirect_to "#{site}/#{id}/oauth2/logout?post_logout_redirect_uri=#{url}"
+        when 'Custom'
+          logout_user
+          redirect_to Setting.plugin_redmine_oauth[:custom_logout_endpoint]
+        when 'GitLab', 'Google'
+          Rails.logger.info "#{Setting.plugin_redmine_oauth[:oauth_name]} logout not implement"
+          super
+        when 'Keycloak'
+          logout_user
+          redirect_to "#{site}/realms/#{id}/protocol/openid-connect/logout?redirect_uri=#{url}"
+        when 'Okta'
+          logout_user
+          redirect_to "#{site}/oauth2/v1/logout?id_token_hint=#{id}&post_logout_redirect_uri=#{url}"
+        else
+          super
+        end
+      rescue StandardError => e
+        Rails.logger.error e.message
+        flash['error'] = e.message
+        redirect_to signin_path
+      end
+    end
+  end
+end
+
+AccountController.prepend RedmineOauth::Patches::AccountControllerPatch