diff --git a/app/Auth/OIDC/OIDCController.php b/app/Auth/OIDC/OIDCController.php index c0f908e65..a3defba71 100644 --- a/app/Auth/OIDC/OIDCController.php +++ b/app/Auth/OIDC/OIDCController.php @@ -101,17 +101,20 @@ public function logout(Request $request) } } - // FIXME: This is more or less a very ugly reimplementation of - // https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L436 - // without the redirect at the end and with a hard-coded end_session_endpoint. - public function logoutRedirectURL() + /** + * Frontchannel logout + */ + public function signout(Request $request) { - $issuer = config('services.oidc.issuer'); - $params = array( - 'client_id' => config('services.oidc.client_id'), - 'id_token_hint' => session('oidc_id_token'), - 'post_logout_redirect_uri' => url('/logout'), - ); - return "$issuer/protocol/openid-connect/logout?".http_build_query($params); + $this->oidc->signOut($request['id_token'], $request['logout_url']); + } + + public function signoutRedirectURL(string $logout_url) + { + $params = [ + 'id_token' => session('oidc_id_token'), + 'logout_url' => $logout_url, + ]; + return url("/auth/oidc/signout?".http_build_query($params)); } } diff --git a/app/Http/Controllers/api/v1/auth/LoginController.php b/app/Http/Controllers/api/v1/auth/LoginController.php index 171d4bc61..aa5eb58c5 100644 --- a/app/Http/Controllers/api/v1/auth/LoginController.php +++ b/app/Http/Controllers/api/v1/auth/LoginController.php @@ -72,7 +72,7 @@ public function logout(Request $request) $redirect = app(ShibbolethProvider::class)->logout(url('/logout')); break; case 'oidc': - $redirect = app(OIDCController::class)->logoutRedirectURL(); + $redirect = app(OIDCController::class)->signoutRedirectURL(url('/logout')); break; } diff --git a/routes/web.php b/routes/web.php index bb9db4652..716f90016 100644 --- a/routes/web.php +++ b/routes/web.php @@ -35,6 +35,7 @@ Route::get('auth/oidc/redirect', [OIDCController::class, 'redirect'])->name('auth.oidc.redirect'); Route::get('auth/oidc/callback', [OIDCController::class, 'callback'])->name('auth.oidc.callback'); Route::match(['get', 'post'], 'auth/oidc/logout', [OIDCController::class, 'logout'])->name('auth.oidc.logout'); + Route::get('auth/oidc/signout', [OIDCController::class, 'signout'])->name('auth.oidc.signout'); }); if (config('greenlight.compatibility')) {