internal: add X-authentik-logout signature to trigger logouts when URLs are not exposed

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

internal/outpost/proxyv2/application/application.go

@@ -150,6 +150,8 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if _, set := r.URL.Query()[CallbackSignature]; set {
 				a.handleAuthCallback(w, r)
+			} else if _, set := r.URL.Query()[LogoutSignature]; set {
+				a.handleSignOut(w, r)
 			} else {
 				inner.ServeHTTP(w, r)
 			}

internal/outpost/proxyv2/application/oauth.go

@@ -15,6 +15,7 @@ import (
 const (
 	redirectParam     = "rd"
 	CallbackSignature = "X-authentik-auth-callback"
+	LogoutSignature   = "X-authentik-logout"
 )
 
 func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {

internal/web/proxy.go

@@ -54,7 +54,8 @@ func (ws *WebServer) configureProxy() {
 		before := time.Now()
 		if ws.ProxyServer != nil {
 			_, oauthCallbackSet := r.URL.Query()[application.CallbackSignature]
-			if ws.ProxyServer.HandleHost(rw, r) || oauthCallbackSet {
+			_, logoutSet := r.URL.Query()[application.LogoutSignature]
+			if ws.ProxyServer.HandleHost(rw, r) || oauthCallbackSet || logoutSet {
 				Requests.With(prometheus.Labels{
 					"dest": "embedded_outpost",
 				}).Observe(float64(time.Since(before)))