From 4709dca33c96713b55286386db241824b91b3718 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 1 Jul 2021 15:48:56 +0200
Subject: [PATCH] outposts/proxy: always redirect to session-end interface on
 sign_out

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 outpost/pkg/proxy/api.go         |  7 +++--
 outpost/pkg/proxy/api_bundle.go  |  3 ++
 outpost/pkg/proxy/proxy.go       | 54 +++++++++++++++-----------------
 tests/e2e/test_provider_proxy.py |  7 +++++
 4 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/outpost/pkg/proxy/api.go b/outpost/pkg/proxy/api.go
index e9526e3db..6d4acc5e5 100644
--- a/outpost/pkg/proxy/api.go
+++ b/outpost/pkg/proxy/api.go
@@ -29,9 +29,10 @@ func (s *Server) bundleProviders(providers []api.ProxyOutpostConfig) []*provider
 			log.WithError(err).Warning("Failed to parse URL, skipping provider")
 		}
 		bundles[idx] = &providerBundle{
-			s:    s,
-			Host: externalHost.Host,
-			log:  log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name),
+			s:             s,
+			Host:          externalHost.Host,
+			log:           log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name),
+			endSessionUrl: provider.OidcConfiguration.EndSessionEndpoint,
 		}
 		bundles[idx].Build(provider)
 	}
diff --git a/outpost/pkg/proxy/api_bundle.go b/outpost/pkg/proxy/api_bundle.go
index 0081b80b9..1489c3c13 100644
--- a/outpost/pkg/proxy/api_bundle.go
+++ b/outpost/pkg/proxy/api_bundle.go
@@ -25,6 +25,8 @@ type providerBundle struct {
 	proxy *OAuthProxy
 	Host  string
 
+	endSessionUrl string
+
 	cert *tls.Certificate
 
 	log *log.Entry
@@ -155,6 +157,7 @@ func (pb *providerBundle) Build(provider api.ProxyOutpostConfig) {
 		oauthproxy.BasicAuthPasswordAttribute = *provider.BasicAuthPasswordAttribute
 	}
 
+	oauthproxy.endSessionEndpoint = pb.endSessionUrl
 	oauthproxy.ExternalHost = pb.Host
 
 	pb.proxy = oauthproxy
diff --git a/outpost/pkg/proxy/proxy.go b/outpost/pkg/proxy/proxy.go
index ec0aae395..d842022eb 100644
--- a/outpost/pkg/proxy/proxy.go
+++ b/outpost/pkg/proxy/proxy.go
@@ -65,31 +65,33 @@ type OAuthProxy struct {
 	AuthOnlyPath      string
 	UserInfoPath      string
 
+	endSessionEndpoint         string
 	mode                       api.ProxyMode
-	redirectURL                *url.URL // the url to receive requests at
-	whitelistDomains           []string
-	provider                   providers.Provider
-	sessionStore               sessionsapi.SessionStore
-	ProxyPrefix                string
-	serveMux                   http.Handler
-	SetXAuthRequest            bool
-	SetBasicAuth               bool
-	PassUserHeaders            bool
 	BasicAuthUserAttribute     string
 	BasicAuthPasswordAttribute string
 	ExternalHost               string
-	PassAccessToken            bool
-	SetAuthorization           bool
-	PassAuthorization          bool
-	PreferEmailToUser          bool
-	skipAuthRegex              []string
-	skipAuthPreflight          bool
-	skipAuthStripHeaders       bool
-	mainJwtBearerVerifier      *oidc.IDTokenVerifier
-	extraJwtBearerVerifiers    []*oidc.IDTokenVerifier
-	compiledRegex              []*regexp.Regexp
-	templates                  *template.Template
-	realClientIPParser         ipapi.RealClientIPParser
+
+	redirectURL             *url.URL // the url to receive requests at
+	whitelistDomains        []string
+	provider                providers.Provider
+	sessionStore            sessionsapi.SessionStore
+	ProxyPrefix             string
+	serveMux                http.Handler
+	SetXAuthRequest         bool
+	SetBasicAuth            bool
+	PassUserHeaders         bool
+	PassAccessToken         bool
+	SetAuthorization        bool
+	PassAuthorization       bool
+	PreferEmailToUser       bool
+	skipAuthRegex           []string
+	skipAuthPreflight       bool
+	skipAuthStripHeaders    bool
+	mainJwtBearerVerifier   *oidc.IDTokenVerifier
+	extraJwtBearerVerifiers []*oidc.IDTokenVerifier
+	compiledRegex           []*regexp.Regexp
+	templates               *template.Template
+	realClientIPParser      ipapi.RealClientIPParser
 
 	sessionChain alice.Chain
 
@@ -285,19 +287,13 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {
 
 // SignOut sends a response to clear the authentication cookie
 func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
-	redirect, err := p.GetRedirect(req)
-	if err != nil {
-		p.logger.Errorf("Error obtaining redirect: %v", err)
-		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
-		return
-	}
-	err = p.ClearSessionCookie(rw, req)
+	err := p.ClearSessionCookie(rw, req)
 	if err != nil {
 		p.logger.Errorf("Error clearing session cookie: %v", err)
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
 		return
 	}
-	http.Redirect(rw, req, redirect, http.StatusFound)
+	http.Redirect(rw, req, p.endSessionEndpoint, http.StatusFound)
 }
 
 // AuthenticateOnly checks whether the user is currently logged in
diff --git a/tests/e2e/test_provider_proxy.py b/tests/e2e/test_provider_proxy.py
index 1875ff7c2..0242b3430 100644
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@@ -119,6 +119,13 @@ class TestProviderProxy(SeleniumTestCase):
         self.assertIn("X-Forwarded-Preferred-Username: akadmin", full_body_text)
         self.assertIn("X-Foo: bar", full_body_text)
 
+        self.driver.get("http://localhost:4180/akprox/sign_out")
+        sleep(2)
+        full_body_text = self.driver.find_element(
+            By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl"
+        ).text
+        self.assertIn("You've logged out of proxy.", full_body_text)
+
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
 class TestProviderProxyConnect(ChannelsLiveServerTestCase):