OIDC_REMOVE_FROM_GROUPS=false
OIDC_EXTERNAL_ID_CLAIM=sub
+# OIDC Logout Feature: Its value should be value of end_session_endpoint from <issuer>/.well-known/openid-configuration
+OIDC_END_SESSION_ENDPOINT=null
+
+
# Disable default third-party services such as Gravatar and Draw.IO
# Service-specific options will override this option
DISABLE_EXTERNAL_SERVICES=false
return redirect()->intended();
}
+
+ /**
+ * OIDC Logout Feature: Start the authorization logout flow via OIDC.
+ */
+ public function logout()
+ {
+ try {
+ return $this->oidcService->logout();
+ } catch (OidcException $exception) {
+ $this->showErrorNotification($exception->getMessage());
+ return redirect('/logout');
+ }
+ }
+
}
$settings->keys,
);
+ // OIDC Logout Feature: Temporarily save token in session
+ $access_token_for_logout = $idTokenText;
+ session()->put("oidctoken", $access_token_for_logout);
+
+
+
$returnClaims = Theme::dispatch(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, $idToken->getAllClaims(), [
'access_token' => $accessToken->getToken(),
'expires_in' => $accessToken->getExpires(),
{
return $this->config()['user_to_groups'] !== false;
}
+
+
+ /**
+ * OIDC Logout Feature: Initiate a logout flow.
+ *
+ * @throws OidcException
+ *
+ * @return string
+ */
+ public function logout() {
+
+ $config = $this->config();
+ $app_url = env('APP_URL', '');
+ $end_session_endpoint = $config["end_session_endpoint"];
+
+ $oidctoken = session()->get("oidctoken");
+ session()->invalidate();
+
+ if (str_contains($app_url, 'https://')) {
+ $protocol = 'https://';
+ } else {
+ $protocol = 'http://';
+ }
+
+
+
+ return redirect($end_session_endpoint.'?id_token_hint='.$oidctoken."&post_logout_redirect_uri=".$protocol.$_SERVER['HTTP_HOST']."/");
+
+
+ }
+
+
+
}
'groups_claim' => env('OIDC_GROUPS_CLAIM', 'groups'),
// When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.
'remove_from_groups' => env('OIDC_REMOVE_FROM_GROUPS', false),
+
+ // OIDC Logout Feature: OAuth2 end_session_endpoint
+ 'end_session_endpoint' => env('OIDC_END_SESSION_ENDPOINT', null),
+
];
+
</li>
<li><hr></li>
<li>
- <form action="{{ url(config('auth.method') === 'saml2' ? '/saml2/logout' : '/logout') }}"
- method="post">
- {{ csrf_field() }}
- <button class="icon-item" data-shortcut="logout">
- @icon('logout')
- <div>{{ trans('auth.logout') }}</div>
- </button>
- </form>
+ <?php
+// OIDC Logout Feature: Use /oidc/logout if authentication method is oidc.
+ if (config('auth.method') === 'oidc') {
+ ?>
+ <form action="/oidc/logout"
+ method="get">
+ <?php
+// OIDC Logout Feature: Use /oidc/logout if authentication method is oidc.
+ } else {
+ ?>
+ <form action="{{ url(config('auth.method') === 'saml2' ? '/saml2/logout' : '/logout') }}"
+ method="post">
+ <?php
+// OIDC Logout Feature: Use /oidc/logout if authentication method is oidc.
+ }
+ ?>
+ {{ csrf_field() }}
+ <button class="icon-item" data-shortcut="logout">
+ @icon('logout')
+ <div>{{ trans('auth.logout') }}</div>
+ </button>
+ </form>
</li>
</ul>
</div>
\ No newline at end of file
// OIDC routes
Route::post('/oidc/login', [AccessControllers\OidcController::class, 'login']);
Route::get('/oidc/callback', [AccessControllers\OidcController::class, 'callback']);
+// OIDC Logout Feature: Added to cater OIDC logout
+Route::get('/oidc/logout', [AccessControllers\OidcController::class, 'logout']);
// User invitation routes
Route::get('/register/invite/{token}', [AccessControllers\UserInviteController::class, 'showSetPassword']);
projects / bookstack / commitdiff