Skip to content

Commit fa8d60c

Browse files
Stefan WeilUBMA Sysadmins
Stefan Weil
authored and
UBMA Sysadmins
committed
oidc logout
1 parent d32a6fa commit fa8d60c

File tree

2 files changed

+27
-10
lines changed

2 files changed

+27
-10
lines changed

config/vufind/OpenIDConnectClient.ini

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,13 @@
33
url = "https://openidconnect.provider.url"
44
client_id = "your_client_id"
55
client_secret = "your_client_secret"
6+
7+
; Optional URL for end_session_endpoint.
8+
; If it is missing or false, logout functionality is disabled.
9+
; If it is true, the end_session_endpoint from the provider is used.
10+
; If it is a valid URL, this URL is used as end_session_endpoint.
11+
logout = true
12+
613
; Optional settings of username prefix to ensure unique usernames in case of multiple authentication methods
714
username_prefix = ""
815

module/VuFind/src/VuFind/Auth/OpenIDConnect.php

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -374,27 +374,37 @@ public function getSessionInitiator($target): bool|string
374374
public function logout($url)
375375
{
376376
$redirectUrl = $url;
377+
$end_session_endpoint = false;
377378

378-
// Retrieve id_token from session
379-
$idToken = $this->session->oidc_id_token ?? null;
380-
if ($idToken === null) {
381-
$this->logWarning('No id_token found in session data');
379+
$logout = $this->getConfig('logout');
380+
381+
if (!$logout) {
382+
// No logout configured, so don't logout from service provider.
383+
$this->debug('no logout URL given');
384+
} elseif (filter_var($logout, FILTER_VALIDATE_URL)) {
385+
// A valid URL was configured, use it.
386+
$end_session_endpoint = $logout;
382387
} else {
383-
// Get end_session_endpoint from provider
388+
// Get end_session_endpoint from provider.
384389
$provider = $this->getProvider();
385-
if (empty($provider->end_session_endpoint)) {
386-
$this->logWarning('No end_session_endpoint found in provider metadata');
390+
$end_session_endpoint = $provider->end_session_endpoint;
391+
}
392+
393+
if ($end_session_endpoint) {
394+
// Retrieve id_token from session.
395+
$idToken = $this->session->oidc_id_token ?? null;
396+
if ($idToken === null) {
397+
$this->logWarning('No id_token found in session data');
387398
} else {
388-
$logoutUrl = $provider->end_session_endpoint;
389399
$params = [
390400
'id_token_hint' => $idToken,
391401
'post_logout_redirect_uri' => $url,
392402
];
393-
$redirectUrl = $logoutUrl . '?' . http_build_query($params);
403+
$redirectUrl = $end_session_endpoint . '?' . http_build_query($params);
394404
}
395405
}
396406

397-
// Send back the redirect URL (possibly modified):
407+
// Send back the redirect URL (possibly modified).
398408
return $redirectUrl;
399409
}
400410

0 commit comments

Comments
 (0)