From d6c24e50df56ed2e88e86e587ff65253f2287eb9 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Fri, 24 Oct 2025 16:47:55 +1100
Subject: [PATCH] Whoops - add oidc logout

---
 app/controllers/oidc_controller.rb | 32 ++++++++++++++++++++++++++++--
 config/routes.rb                   |  1 +
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb
index 4ac74cb..ceabb24 100644
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -1,7 +1,7 @@
 class OidcController < ApplicationController
   # Discovery and JWKS endpoints are public
-  allow_unauthenticated_access only: [:discovery, :jwks, :token, :userinfo]
-  skip_before_action :verify_authenticity_token, only: [:token]
+  allow_unauthenticated_access only: [:discovery, :jwks, :token, :userinfo, :logout]
+  skip_before_action :verify_authenticity_token, only: [:token, :logout]
 
   # GET /.well-known/openid-configuration
   def discovery
@@ -13,6 +13,7 @@ class OidcController < ApplicationController
       token_endpoint: "#{base_url}/oauth/token",
       userinfo_endpoint: "#{base_url}/oauth/userinfo",
       jwks_uri: "#{base_url}/.well-known/jwks.json",
+      end_session_endpoint: "#{base_url}/logout",
       response_types_supported: ["code"],
       subject_types_supported: ["public"],
       id_token_signing_alg_values_supported: ["RS256"],
@@ -268,6 +269,33 @@ class OidcController < ApplicationController
     render json: claims
   end
 
+  # GET /logout
+  def logout
+    # OpenID Connect RP-Initiated Logout
+    # Handle id_token_hint and post_logout_redirect_uri parameters
+
+    id_token_hint = params[:id_token_hint]
+    post_logout_redirect_uri = params[:post_logout_redirect_uri]
+    state = params[:state]
+
+    # If user is authenticated, log them out
+    if authenticated?
+      # Invalidate the current session
+      Current.session&.destroy
+      reset_session
+    end
+
+    # If post_logout_redirect_uri is provided, redirect there
+    if post_logout_redirect_uri.present?
+      redirect_uri = post_logout_redirect_uri
+      redirect_uri += "?state=#{state}" if state.present?
+      redirect_to redirect_uri, allow_other_host: true
+    else
+      # Default redirect to home page
+      redirect_to root_path
+    end
+  end
+
   private
 
   def extract_client_credentials
diff --git a/config/routes.rb b/config/routes.rb
index b629fd4..2e6004e 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -25,6 +25,7 @@ Rails.application.routes.draw do
   post "/oauth/authorize/consent", to: "oidc#consent", as: :oauth_consent
   post "/oauth/token", to: "oidc#token"
   get "/oauth/userinfo", to: "oidc#userinfo"
+  get "/logout", to: "oidc#logout"
 
   # ForwardAuth / Trusted Header SSO
   namespace :api do