From 4c06ec65da6ed3e05fcdf2d4ce866f81c51919ba Mon Sep 17 00:00:00 2001
From: Sebastian Neuser <pzkz@infra.run>
Date: Thu, 25 Jul 2024 13:48:19 +0200
Subject: [PATCH] impr: Use OIDC library signout function

---
 app/Auth/OIDC/OIDCController.php              | 25 +++++++++++--------
 .../api/v1/auth/LoginController.php           |  2 +-
 routes/web.php                                |  1 +
 3 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/app/Auth/OIDC/OIDCController.php b/app/Auth/OIDC/OIDCController.php
index c0f908e65..a3defba71 100644
--- a/app/Auth/OIDC/OIDCController.php
+++ b/app/Auth/OIDC/OIDCController.php
@@ -101,17 +101,20 @@ public function logout(Request $request)
         }
     }
 
-    // FIXME: This is more or less a very ugly reimplementation of
-    //        https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L436
-    //        without the redirect at the end and with a hard-coded end_session_endpoint.
-    public function logoutRedirectURL()
+    /**
+     * Frontchannel logout
+     */
+    public function signout(Request $request)
     {
-        $issuer = config('services.oidc.issuer');
-        $params = array(
-            'client_id' => config('services.oidc.client_id'),
-            'id_token_hint' => session('oidc_id_token'),
-            'post_logout_redirect_uri' => url('/logout'),
-        );
-        return "$issuer/protocol/openid-connect/logout?".http_build_query($params);
+        $this->oidc->signOut($request['id_token'], $request['logout_url']);
+    }
+
+    public function signoutRedirectURL(string $logout_url)
+    {
+        $params = [
+            'id_token' => session('oidc_id_token'),
+            'logout_url' => $logout_url,
+        ];
+        return url("/auth/oidc/signout?".http_build_query($params));
     }
 }
diff --git a/app/Http/Controllers/api/v1/auth/LoginController.php b/app/Http/Controllers/api/v1/auth/LoginController.php
index 171d4bc61..aa5eb58c5 100644
--- a/app/Http/Controllers/api/v1/auth/LoginController.php
+++ b/app/Http/Controllers/api/v1/auth/LoginController.php
@@ -72,7 +72,7 @@ public function logout(Request $request)
                 $redirect = app(ShibbolethProvider::class)->logout(url('/logout'));
                 break;
             case 'oidc':
-                $redirect = app(OIDCController::class)->logoutRedirectURL();
+                $redirect = app(OIDCController::class)->signoutRedirectURL(url('/logout'));
                 break;
         }
 
diff --git a/routes/web.php b/routes/web.php
index bb9db4652..716f90016 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -35,6 +35,7 @@
     Route::get('auth/oidc/redirect', [OIDCController::class, 'redirect'])->name('auth.oidc.redirect');
     Route::get('auth/oidc/callback', [OIDCController::class, 'callback'])->name('auth.oidc.callback');
     Route::match(['get', 'post'], 'auth/oidc/logout', [OIDCController::class, 'logout'])->name('auth.oidc.logout');
+    Route::get('auth/oidc/signout', [OIDCController::class, 'signout'])->name('auth.oidc.signout');
 });
 
 if (config('greenlight.compatibility')) {