add allow_rp_initiated_logout config

Author: mcalinghee

crates/cli/src/sync.rs

@@ -292,6 +292,7 @@ pub async fn config_sync(
                         fetch_userinfo: provider.fetch_userinfo,
                         userinfo_signed_response_alg: provider.userinfo_signed_response_alg,
                         response_mode,
+                        allow_rp_initiated_logout: provider.allow_rp_initiated_logout,
                         additional_authorization_parameters: provider
                             .additional_authorization_parameters
                             .into_iter()

crates/config/src/sections/upstream_oauth2.rs

@@ -535,6 +535,12 @@ pub struct Provider {
     #[serde(default, skip_serializing_if = "ClaimsImports::is_default")]
     pub claims_imports: ClaimsImports,
 
+    /// Whether to allow RP-initiated logout
+    ///
+    /// Defaults to `false`.
+    #[serde(default)]
+    pub allow_rp_initiated_logout: bool,
+
     /// Additional parameters to include in the authorization request
     ///
     /// Orders of the keys are not preserved.

crates/data-model/src/upstream_oauth2/provider.rs

@@ -240,6 +240,7 @@ pub struct UpstreamOAuthProvider {
     pub created_at: DateTime<Utc>,
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,
+    pub allow_rp_initiated_logout: bool,
     pub additional_authorization_parameters: Vec<(String, String)>,
 }
 

crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs

@@ -42,6 +42,7 @@ mod test_utils {
             token_endpoint_override: None,
             userinfo_endpoint_override: None,
             jwks_uri_override: None,
+            allow_rp_initiated_logout: false,
             additional_authorization_parameters: Vec::new(),
             ui_order: 0,
         }

crates/handlers/src/upstream_oauth2/cache.rs

@@ -422,6 +422,7 @@ mod tests {
             created_at: clock.now(),
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
+            allow_rp_initiated_logout: false,
             additional_authorization_parameters: Vec::new(),
         };
 

crates/handlers/src/upstream_oauth2/link.rs

@@ -948,6 +948,7 @@ mod tests {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_rp_initiated_logout: false,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },

crates/handlers/src/upstream_oauth2/logout.rs

@@ -91,55 +91,72 @@ pub async fn get_rp_initiated_logout_endpoints<E>(
     if session_ids.is_empty() {
         return Ok(result);
     }   
-    // We only support the first upstrea session at a time for now
-    let upstream_session_id = session_ids[0];
-    let upstream_session = repo
-        .upstream_oauth_session()
-        .lookup(upstream_session_id)
-        .await?
-        .ok_or(RouteError::SessionNotFound)?;
+    // We only support the first upstream session
+    let mut provider = None;
+    let mut upstream_session = None;
+    
+    for session_id in session_ids {
+        // Get the session and assign its value, wrapped in Some
+        let session = repo
+            .upstream_oauth_session()
+            .lookup(session_id)
+            .await?
+            .ok_or(RouteError::SessionNotFound)?;
+        
+        // Get the provider and assign its value, wrapped in Some
+        let prov = repo.upstream_oauth_provider()
+            .lookup(session.provider_id)
+            .await?
+            .ok_or(RouteError::ProviderNotFound)?;
 
-    let provider = repo.upstream_oauth_provider()
-        .lookup(upstream_session.provider_id)
-        .await?
-        .ok_or(RouteError::ProviderNotFound)?;
+        if prov.allow_rp_initiated_logout {
+            upstream_session = Some(session);
+            provider = Some(prov);
+            break;
+        }
+    }
 
-    // Look for end session endpoint
-    // In a real implementation, we'd have end_session_endpoint fields in the provider
-    // For now, we'll try to construct one from the issuer if available
-    if let Some(issuer) = &provider.issuer {
-        let end_session_endpoint = format!("{}/protocol/openid-connect/logout", issuer);
-        let mut logout_url = end_session_endpoint;
-        
-        // Add post_logout_redirect_uri
-        if let Some(post_uri) = &result.post_logout_redirect_uri {
-            if let Ok(mut url) = Url::parse(&logout_url) {
-                url.query_pairs_mut()
-                    .append_pair("post_logout_redirect_uri", post_uri);
-                url.query_pairs_mut()
-                    .append_pair("client_id", &provider.client_id);
+    // Check if we found a provider with allow_rp_initiated_logout
+    if let Some(provider) = provider {
+        // Look for end session endpoint
+        // In a real implementation, we'd have end_session_endpoint fields in the provider
+        // For now, we'll try to construct one from the issuer if available
+        if let Some(issuer) = &provider.issuer {
+            let end_session_endpoint = format!("{}/protocol/openid-connect/logout", issuer);
+            let mut logout_url = end_session_endpoint;
 
-                // Add id_token_hint if available
-                if upstream_session.id_token().is_some(){
+            // Add post_logout_redirect_uri
+            if let Some(post_uri) = &result.post_logout_redirect_uri {
+                if let Ok(mut url) = Url::parse(&logout_url) {
                     url.query_pairs_mut()
-                        .append_pair("id_token_hint", upstream_session.id_token().unwrap());
+                        .append_pair("post_logout_redirect_uri", post_uri);
+                    url.query_pairs_mut()
+                        .append_pair("client_id", &provider.client_id);
+                
+                    // Add id_token_hint if available
+                    if let Some(session) = &upstream_session {
+                        if let Some(id_token) = session.id_token() {
+                            url.query_pairs_mut()
+                                .append_pair("id_token_hint", id_token);
+                        }
+                    }
+                    logout_url = url.to_string();
                 }
-                logout_url = url.to_string();
             }
+            
+            info!(
+                upstream_oauth_provider.id = %provider.id,
+                logout_url = %logout_url,
+                "Adding RP-initiated logout URL based on issuer"
+            );
+            
+            result.logout_endpoints = logout_url.clone();
+        } else {
+            info!(
+                upstream_oauth_provider.id = %provider.id,
+                "Provider has no issuer defined, cannot construct RP-initiated logout URL"
+            );
         }
-        
-        info!(
-            upstream_oauth_provider.id = %provider.id,
-            logout_url = %logout_url,
-            "Adding RP-initiated logout URL based on issuer"
-        );
-        
-        result.logout_endpoints = logout_url.clone();
-    } else {
-        info!(
-            upstream_oauth_provider.id = %provider.id,
-            "Provider has no issuer defined, cannot construct RP-initiated logout URL"
-        );
     }
 
     Ok(result)

crates/handlers/src/views/login.rs

@@ -452,6 +452,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_rp_initiated_logout: false,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },
@@ -493,6 +494,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_rp_initiated_logout: false,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 1,
                 },