dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Whoops - add oidc logout
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-10-24 16:47:55 +11:00
parent 8c80343b89
commit d6c24e50df
2 changed files with 31 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
app/controllers/oidc_controller.rb
View File

@@ -1,7 +1,7 @@
class OidcController < ApplicationController class OidcController < ApplicationController
# Discovery and JWKS endpoints are public # Discovery and JWKS endpoints are public
allow_unauthenticated_access only: [:discovery, :jwks, :token, :userinfo] allow_unauthenticated_access only: [:discovery, :jwks, :token, :userinfo, :logout]
skip_before_action :verify_authenticity_token, only: [:token] skip_before_action :verify_authenticity_token, only: [:token, :logout]
# GET /.well-known/openid-configuration # GET /.well-known/openid-configuration
def discovery def discovery
@@ -13,6 +13,7 @@ class OidcController < ApplicationController
token_endpoint: "#{base_url}/oauth/token", token_endpoint: "#{base_url}/oauth/token",
userinfo_endpoint: "#{base_url}/oauth/userinfo", userinfo_endpoint: "#{base_url}/oauth/userinfo",
jwks_uri: "#{base_url}/.well-known/jwks.json", jwks_uri: "#{base_url}/.well-known/jwks.json",
end_session_endpoint: "#{base_url}/logout",
response_types_supported: ["code"], response_types_supported: ["code"],
subject_types_supported: ["public"], subject_types_supported: ["public"],
id_token_signing_alg_values_supported: ["RS256"], id_token_signing_alg_values_supported: ["RS256"],
@@ -268,6 +269,33 @@ class OidcController < ApplicationController
render json: claims render json: claims
end end
# GET /logout
def logout
# OpenID Connect RP-Initiated Logout
# Handle id_token_hint and post_logout_redirect_uri parameters
id_token_hint = params[:id_token_hint]
post_logout_redirect_uri = params[:post_logout_redirect_uri]
state = params[:state]
# If user is authenticated, log them out
if authenticated?
# Invalidate the current session
Current.session&.destroy
reset_session
end
# If post_logout_redirect_uri is provided, redirect there
if post_logout_redirect_uri.present?
redirect_uri = post_logout_redirect_uri
redirect_uri += "?state=#{state}" if state.present?
redirect_to redirect_uri, allow_other_host: true
else
# Default redirect to home page
redirect_to root_path
end
end
private private
def extract_client_credentials def extract_client_credentials

1
config/routes.rb
View File

@@ -25,6 +25,7 @@ Rails.application.routes.draw do
post "/oauth/authorize/consent", to: "oidc#consent", as: :oauth_consent post "/oauth/authorize/consent", to: "oidc#consent", as: :oauth_consent
post "/oauth/token", to: "oidc#token" post "/oauth/token", to: "oidc#token"
get "/oauth/userinfo", to: "oidc#userinfo" get "/oauth/userinfo", to: "oidc#userinfo"
get "/logout", to: "oidc#logout"
# ForwardAuth / Trusted Header SSO # ForwardAuth / Trusted Header SSO
namespace :api do namespace :api do