support RP initiated logout

Author: mcalinghee

crates/handlers/src/upstream_oauth2/cookie.rs

@@ -65,6 +65,12 @@ impl UpstreamSessions {
     pub fn is_empty(&self) -> bool {
         self.0.is_empty()
     }
+    /// Returns the session IDs in the cookie
+    pub fn session_ids(&self) -> Vec<Ulid> {
+        self.0.iter()
+        .map(|p| p.session)
+        .collect()
+    }
 
     /// Save the upstreams sessions to the cookie jar
     pub fn save<C>(self, cookie_jar: CookieJar, clock: &C) -> CookieJar
@@ -149,7 +155,9 @@ impl UpstreamSessions {
             .position(|p| p.link == Some(link_id))
             .ok_or(UpstreamSessionNotFound)?;
 
-        self.0.remove(pos);
+        // We do not remove the session from the cookie, because it might be used by
+        // in the logout
+        self.0[pos].link = None;
 
         Ok(self)
     }

crates/handlers/src/upstream_oauth2/logout.rs

@@ -0,0 +1,178 @@
+// Copyright 2025 New Vector Ltd.
+//
+// SPDX-License-Identifier: AGPL-3.0-only
+// Please see LICENSE in the repository root for full details.
+
+use std::collections::HashMap;
+
+
+use mas_axum_utils::cookies::CookieJar;
+use mas_router::UrlBuilder;
+use mas_storage::{
+    upstream_oauth2::UpstreamOAuthProviderRepository, RepositoryAccess
+};
+use serde::{Deserialize, Serialize};
+use tracing::{info, warn, error};
+use url::Url;
+use crate::{impl_from_error_for_route};
+use thiserror::Error;
+
+use super::UpstreamSessionsCookie;
+
+/// Back-channel logout token
+/// 
+/// See https://openid.net/specs/openid-connect-backchannel-1_0.html#BCTokens
+#[derive(Debug, Serialize, Deserialize)]
+pub struct BackChannelLogoutToken {
+    /// Issuer Identifier
+    pub iss: String,
+    
+    /// Subject Identifier
+    pub sub: String,
+    
+    /// Session ID (if available)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub sid: Option<String>,
+    
+    /// Audience
+    pub aud: String,
+    
+    /// Issued At
+    pub iat: i64,
+    
+    /// JWT ID
+    pub jti: String,
+    
+    /// Expiration Time
+    pub exp: i64,
+    
+    /// Events claim - according to the spec, it must contain the "http://schemas.openid.net/event/backchannel-logout" key
+    pub events: HashMap<String, serde_json::Value>,
+}
+
+#[derive(Serialize, Deserialize)]
+struct LogoutToken {
+    logout_token: String,
+}
+
+/// Structure to collect upstream RP-initiated logout endpoints for a user
+#[derive(Debug, Default)]
+pub struct UpstreamLogoutInfo {
+    /// Collection of logout endpoints that the user needs to be redirected to
+    pub logout_endpoints: Vec<String>,
+    
+    /// Optional post-logout redirect URI to come back to our app
+    pub post_logout_redirect_uri: Option<String>,
+}
+
+#[derive(Debug, Error)]
+pub enum RouteError {
+    #[error(transparent)]
+    Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
+
+    #[error("provider was not found")]
+    ProviderNotFound,
+
+    #[error("session was not found")]
+    SessionNotFound,
+}
+
+impl_from_error_for_route!(mas_storage::RepositoryError);
+
+impl From<reqwest::Error> for RouteError {
+    fn from(err: reqwest::Error) -> Self {
+        Self::Internal(Box::new(err))
+    }
+}
+
+/// Get RP-initiated logout URLs for a user's upstream providers
+///
+/// This retrieves logout endpoints from all connected upstream providers that
+/// support RP-initiated logout.
+///
+/// # Parameters
+///
+/// * `repo`: The repository to use
+/// * `url_builder`: URL builder for constructing redirect URIs
+/// * `session`: The browser session to log out
+/// * `grant_id`: Optional grant ID to use for generating id_token_hint
+/// 
+/// # Returns
+///
+/// Information about upstream logout endpoints the user should be redirected to
+///
+/// # Errors
+///
+/// Returns a RouteError if there's an issue accessing the repository
+pub async fn get_rp_initiated_logout_endpoints<E>(
+    url_builder: &UrlBuilder,
+    repo: &mut impl RepositoryAccess<Error = E>,
+    cookie_jar: &CookieJar,
+) -> Result<UpstreamLogoutInfo, RouteError> where RouteError: std::convert::From<E>
+{
+    let mut result = UpstreamLogoutInfo::default();
+    
+    // Set the post-logout redirect URI to our app's logout completion page
+    let post_logout_redirect_uri = url_builder
+        .absolute_url_for(&mas_router::Login::default())
+        .to_string();
+    result.post_logout_redirect_uri = Some(post_logout_redirect_uri.clone());
+
+    let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar);
+    warn!("sessions_cookie: {:?}", sessions_cookie);
+    
+    // Standard location for OIDC end session endpoint
+    for upstream_session_id in sessions_cookie.session_ids() {
+        let upstream_session = repo
+            .upstream_oauth_session()
+            .lookup(upstream_session_id)
+            .await?
+            .ok_or(RouteError::SessionNotFound)?;
+
+        let provider = repo.upstream_oauth_provider()
+            .lookup(upstream_session.provider_id)
+            .await?
+            .ok_or(RouteError::ProviderNotFound)?;
+
+        // Look for end session endpoint
+        // In a real implementation, we'd have end_session_endpoint fields in the provider
+        // For now, we'll try to construct one from the issuer if available
+        if let Some(issuer) = &provider.issuer {
+            let end_session_endpoint = format!("{}/protocol/openid-connect/logout", issuer);
+            let mut logout_url = end_session_endpoint;
+            
+            // Add post_logout_redirect_uri
+            if let Some(post_uri) = &result.post_logout_redirect_uri {
+                if let Ok(mut url) = Url::parse(&logout_url) {
+                    url.query_pairs_mut()
+                        .append_pair("post_logout_redirect_uri", post_uri);
+                    url.query_pairs_mut()
+                        .append_pair("client_id", &provider.client_id);
+                
+                    // Add id_token_hint if available
+                    if upstream_session.id_token().is_some(){
+                        url.query_pairs_mut()
+                            .append_pair("id_token_hint", upstream_session.id_token().unwrap());
+                    }
+                    logout_url = url.to_string();
+                }
+            }
+            
+            info!(
+                upstream_oauth_provider.id = %provider.id,
+                logout_url = %logout_url,
+                "Adding RP-initiated logout URL based on issuer"
+            );
+            
+            result.logout_endpoints.push(logout_url);
+        } else {
+            info!(
+                upstream_oauth_provider.id = %provider.id,
+                "Provider has no issuer defined, cannot construct RP-initiated logout URL"
+            );
+        }    
+        
+    }
+    
+    Ok(result)
+}

crates/handlers/src/upstream_oauth2/mod.rs

@@ -18,6 +18,7 @@ use url::Url;
 pub(crate) mod authorize;
 pub(crate) mod cache;
 pub(crate) mod callback;
+pub(crate) mod logout;
 mod cookie;
 pub(crate) mod link;
 mod template;

crates/handlers/src/views/logout.rs

@@ -6,7 +6,7 @@
 
 use axum::{
     extract::{Form, State},
-    response::IntoResponse,
+    response::{IntoResponse, Redirect},
 };
 use mas_axum_utils::{
     FancyError, SessionInfoExt,
@@ -16,7 +16,9 @@ use mas_axum_utils::{
 use mas_router::{PostAuthAction, UrlBuilder};
 use mas_storage::{BoxClock, BoxRepository, user::BrowserSessionRepository};
 
-use crate::BoundActivityTracker;
+use crate::{BoundActivityTracker, upstream_oauth2::logout::get_rp_initiated_logout_endpoints};
+
+use tracing::warn;
 
 #[tracing::instrument(name = "handlers.views.logout.post", skip_all, err)]
 pub(crate) async fn post(
@@ -27,10 +29,11 @@ pub(crate) async fn post(
     activity_tracker: BoundActivityTracker,
     Form(form): Form<ProtectedForm<Option<PostAuthAction>>>,
 ) -> Result<impl IntoResponse, FancyError> {
-    let form = cookie_jar.verify_form(&clock, form)?;
-
+    let form: Option<PostAuthAction> = cookie_jar.verify_form(&clock, form)?;
     let (session_info, cookie_jar) = cookie_jar.session_info();
 
+    let mut upstream_logout_url = None;
+
     if let Some(session_id) = session_info.current_session_id() {
         let maybe_session = repo.browser_session().lookup(session_id).await?;
         if let Some(session) = maybe_session {
@@ -39,6 +42,25 @@ pub(crate) async fn post(
                     .record_browser_session(&clock, &session)
                     .await;
 
+                // First, get RP-initiated logout endpoints before actually finishing the session
+                match get_rp_initiated_logout_endpoints(
+                    &url_builder,
+                    &mut repo,
+                    &cookie_jar,
+                ).await {
+                    Ok(logout_info) => {
+                        // If we have any RP-initiated logout endpoints, use the first one
+                        if !logout_info.logout_endpoints.is_empty() {
+                            upstream_logout_url = Some(logout_info.logout_endpoints[0].clone());
+                        }
+                    },
+                    Err(e) => {
+                        warn!("Failed to get RP-initiated logout endpoints: {}", e);
+                        // Continue with logout even if endpoint retrieval fails
+                    }
+                }
+                
+                // Now finish the session
                 repo.browser_session().finish(&clock, session).await?;
             }
         }
@@ -50,11 +72,17 @@ pub(crate) async fn post(
     // invalid
     let cookie_jar = cookie_jar.update_session_info(&session_info.mark_session_ended());
 
+    // If we have an upstream provider to logout from, redirect to it
+    if let Some(logout_url) = upstream_logout_url {
+        return Ok((cookie_jar, Redirect::to(&logout_url)).into_response());
+    }
+
+    // Default behavior - redirect to login or specified action
     let destination = if let Some(action) = form {
         action.go_next(&url_builder)
     } else {
         url_builder.redirect(&mas_router::Login::default())
     };
 
-    Ok((cookie_jar, destination))
+    Ok((cookie_jar, destination).into_response())
 }