fix(auth): keycloak authentication post logout redirect for Keycloak 18+ (#5878)

This commit is contained in:
Jason Minard 2023-08-10 16:45:06 -05:00 committed by GitHub
parent 3855d2c853
commit 491d63ceee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 4 deletions

View File

@ -866,7 +866,7 @@ module.exports = class User extends Model {
} }
const usr = await WIKI.models.users.query().findById(context.req.user.id).select('providerKey') const usr = await WIKI.models.users.query().findById(context.req.user.id).select('providerKey')
const provider = _.find(WIKI.auth.strategies, ['key', usr.providerKey]) const provider = _.find(WIKI.auth.strategies, ['key', usr.providerKey])
return provider.logout ? provider.logout(provider.config) : '/' return provider.logout ? provider.logout(provider.config, context) : '/'
} }
static async getGuestUser () { static async getGuestUser () {

View File

@ -21,7 +21,7 @@ module.exports = {
clientSecret: conf.clientSecret, clientSecret: conf.clientSecret,
callbackURL: conf.callbackURL, callbackURL: conf.callbackURL,
passReqToCallback: true passReqToCallback: true
}, async (req, accessToken, refreshToken, profile, cb) => { }, async (req, accessToken, refreshToken, results, profile, cb) => {
let displayName = profile.username let displayName = profile.username
if (_.isString(profile.fullName) && profile.fullName.length > 0) { if (_.isString(profile.fullName) && profile.fullName.length > 0) {
displayName = profile.fullName displayName = profile.fullName
@ -36,6 +36,7 @@ module.exports = {
picture: '' picture: ''
} }
}) })
req.session.keycloak_id_token = results.id_token
cb(null, user) cb(null, user)
} catch (err) { } catch (err) {
cb(err, null) cb(err, null)
@ -43,11 +44,22 @@ module.exports = {
}) })
) )
}, },
logout (conf) { logout (conf, context) {
if (!conf.logoutUpstream) { if (!conf.logoutUpstream) {
return '/' return '/'
} else if (conf.logoutURL && conf.logoutURL.length > 5) { } else if (conf.logoutURL && conf.logoutURL.length > 5) {
return `${conf.logoutURL}?redirect_uri=${encodeURIComponent(WIKI.config.host)}` const idToken = context.req.session.keycloak_id_token
const redirURL = encodeURIComponent(WIKI.config.host)
if (conf.logoutUpstreamRedirectLegacy) {
// keycloak < 18
return `${conf.logoutURL}?redirect_uri=${redirURL}`
} else if (idToken) {
// keycloak 18+
return `${conf.logoutURL}?post_logout_redirect_uri=${redirURL}&id_token_hint=${idToken}`
} else {
// fall back to no redirect if keycloak_id_token isn't available
return conf.logoutURL
}
} else { } else {
WIKI.logger.warn('Keycloak logout URL is not configured!') WIKI.logger.warn('Keycloak logout URL is not configured!')
return '/' return '/'

View File

@ -57,4 +57,9 @@ props:
title: Logout Endpoint URL title: Logout Endpoint URL
hint: e.g. https://KEYCLOAK-HOST/auth/realms/YOUR-REALM/protocol/openid-connect/logout hint: e.g. https://KEYCLOAK-HOST/auth/realms/YOUR-REALM/protocol/openid-connect/logout
order: 9 order: 9
logoutUpstreamRedirectLegacy:
type: Boolean
title: Legacy Logout Redirect
hint: Pass the legacy 'redirect_uri' parameter to the logout endpoint. Leave disabled for Keycloak 18 and above.
order: 10