From 7de0b09497f673711a0ba6c8923f2482a4343b0d Mon Sep 17 00:00:00 2001 From: Shawn Kim Date: Wed, 21 Dec 2022 18:00:00 -0800 Subject: [PATCH] OIDC logout endpoint support --- README.md | 4 ++-- configure.sh | 4 ++-- openid_connect.js | 24 ++++++++++++++++++++---- openid_connect.server_conf | 19 ++++++++++++++++--- openid_connect_configuration.conf | 20 ++++++++++++++++---- 5 files changed, 56 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 2b3b006..fc11044 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ If a [refresh token](https://openid.net/specs/openid-connect-core-1_0.html#Refre ### Logout -Requests made to the `/logout` location invalidate both the ID token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication. Note that the IdP may issue cookies such that an authenticated session still exists at the IdP. +Requests made to the `/logout` location invalidate both the ID token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication. By interacting with `$oidc_logout_endpoint` which is the end session endpoint of IdP, the authenticated session is ended at the IdP. ### Multiple IdPs @@ -105,7 +105,7 @@ Manual configuration involves reviewing the following files so that they match y * **openid_connect_configuration.conf** - this contains the primary configuration for one or more IdPs in `map{}` blocks * Modify all of the `map…$oidc_` blocks to match your IdP configuration - * Modify the URI defined in `map…$oidc_logout_redirect` to specify an unprotected resource to be displayed after requesting the `/logout` location + * Modify the URI defined in `map…$oidc_logout_landing_page` to redirect browser after successful logout. * Set a unique value for `$oidc_hmac_key` to ensure nonce values are unpredictable * If NGINX Plus is deployed behind another proxy or load balancer, modify the `map…$redirect_base` and `map…$proto` blocks to define how to obtain the original protocol and port number. diff --git a/configure.sh b/configure.sh index 17e8920..a942838 100755 --- a/configure.sh +++ b/configure.sh @@ -120,7 +120,7 @@ fi # Build an intermediate configuration file # File format is: # -jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf +jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)\n$oidc_logout_endpoint \(.logout_endpoint)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf # Create a random value for HMAC key, adding to the intermediate configuration file echo "\$oidc_hmac_key `openssl rand -base64 18`" >> /tmp/${COMMAND}_$$_conf @@ -178,7 +178,7 @@ fi # Loop through each configuration variable echo "$COMMAND: NOTICE: Configuring $CONFDIR/openid_connect_configuration.conf" -for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do +for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_logout_endpoint \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do # Pull the configuration value from the intermediate file VALUE=`grep "^$OIDC_VAR " /tmp/${COMMAND}_$$_conf | cut -f2 -d' '` echo -n "$COMMAND: NOTICE: - $OIDC_VAR ..." diff --git a/openid_connect.js b/openid_connect.js index e4f2084..7b63429 100644 --- a/openid_connect.js +++ b/openid_connect.js @@ -5,7 +5,7 @@ */ var newSession = false; // Used by oidcAuth() and validateIdToken() -export default {auth, codeExchange, validateIdToken, logout}; +export default {auth, codeExchange, validateIdToken, logout, redirectPostLogout}; function retryOriginalRequest(r) { delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt @@ -253,11 +253,27 @@ function validateIdToken(r) { } } +// Default RP-Initiated or Custom Logout w/ OP as per: +// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout +// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout +// An RP requests that the OP log out the end-user by redirecting the end-user's +// User Agent to the OP's Logout endpoint. function logout(r) { r.log("OIDC logout for " + r.variables.cookie_auth_token); - r.variables.session_jwt = "-"; - r.variables.refresh_token = "-"; - r.return(302, r.variables.oidc_logout_redirect); + var queryParams = ''; + if (r.variables.oidc_logout_query_params) { + queryParams = '?' + r.variables.oidc_logout_query_params; + } + r.variables.request_id = '-'; + r.variables.session_jwt = '-'; + r.variables.access_token = '-'; + r.variables.refresh_token = '-'; + r.return(302, r.variables.oidc_logout_endpoint + queryParams); +} + +// Redirect URI after logged-out from the OP. +function redirectPostLogout(r) { + r.return(302, r.variables.oidc_logout_landing_page); } function getAuthZArgs(r) { diff --git a/openid_connect.server_conf b/openid_connect.server_conf index 13456d2..aa47f3a 100644 --- a/openid_connect.server_conf +++ b/openid_connect.server_conf @@ -67,14 +67,27 @@ } location = /logout { + # RP-Initiated Logout to interact with $oidc_end_session_endpoint as per: + # https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout status_zone "OIDC logout"; - add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie - add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie js_content oidc.logout; } location = /_logout { - # This location is the default value of $oidc_logout_redirect (in case it wasn't configured) + # This location is a RP's callback URI which is called by the IdP after + # successful logout from the IdP by calling $oidc_logout_endpoint. + + # Clean cookies + add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie + add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie + add_header Set-Cookie "auth_nonce=; $oidc_cookie_flags"; + + js_content oidc.redirectPostLogout; + } + + location = /logout_page { + # This location is a default value of $oidc_logout_landing_page as a + # Built-in, simple logout page in case it wasn't configured. default_type text/plain; return 200 "Logged out\n"; } diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf index e8a9759..12f3aad 100644 --- a/openid_connect_configuration.conf +++ b/openid_connect_configuration.conf @@ -28,6 +28,18 @@ map $host $oidc_jwt_keyfile { default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs"; } +map $host $oidc_logout_endpoint { + default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/logout"; +} + +map $host $oidc_logout_query_params { + # Each IdP may use different query params of the $oidc_logout_endpoint. For + # example, Amazon Cognito requires `client_id` and `logout_uri`, and Auth0 + # requires `client_id` and `returnTo` instead of the default query params. + default "post_logout_redirect_uri=$redirect_base/_logout&id_token_hint=$session_jwt"; + #www.example.com "client_id=$oidc_client&logout_uri=$redirect_base/_logout"; +} + map $host $oidc_client { default "my-client-id"; } @@ -44,10 +56,10 @@ map $host $oidc_scopes { default "openid+profile+email+offline_access"; } -map $host $oidc_logout_redirect { - # Where to send browser after requesting /logout location. This can be - # replaced with a custom logout page, or complete URL. - default "/_logout"; # Built-in, simple logout page +map $host $oidc_logout_landing_page { + # Where to redirect browser after successful logout from the IdP. + default "$redirect_base/logout_page"; # Built-in, simple logout page + #www.example.com $redirect_base; } map $host $oidc_hmac_key {