Allow configuring custom logout redirect for oidc (#9006)

Adds the option to configure a custom redirect uri after the logout.

This was requested so that an OIDC provider logout can also be
triggered.

Note that this does not work for the “logout everywhere” feature. This
is accepted for the moment, as this would be more complex (not sure how
to tell the oidc provider to terminate all sessions).

Note that this also does not yet implement the other direction (if a
user logs out of another app with the same OIDC provider, wk sessions
are not terminated). This would also be a lot more complex.

### Steps to test:
- Adapt logout redirect address in application.conf (e.g. to
https://example.org)
- Log out in wk, should be redirected.
- When navigating to wk again, should still be logged out.

### Issues:
- fixes #9004

------
- [x] Removed dev-only changes like prints and application.conf edits
- [x] Considered [common edge
cases](../blob/master/.github/common_edge_cases.md)

Author: fm3

app/controllers/AuthenticationController.scala

@@ -537,13 +537,16 @@ class AuthenticationController @Inject()(
   }
 
   def logout: Action[AnyContent] = sil.UserAwareAction.async { implicit request =>
+    val redirectUrlStr: String = conf.SingleSignOn.OpenIdConnect.logoutRedirectUrl.getOrElse("/")
+    val rawResultWithRedirect = Ok(Json.toJson(redirectUrlStr))
     request.authenticator match {
       case Some(authenticator) =>
         for {
-          authenticatorResult <- combinedAuthenticatorService.discard(authenticator, Ok)
+          authenticatorResult <- combinedAuthenticatorService.discard(authenticator, rawResultWithRedirect)
           _ = logger.info(f"User ${request.identity.map(_._id).getOrElse("id unknown")} logged out.")
         } yield authenticatorResult
-      case _ => Future.successful(Ok)
+      case _ =>
+        Future.successful(rawResultWithRedirect)
     }
   }
 

app/utils/WkConf.scala

@@ -128,6 +128,7 @@ class WkConf @Inject()(configuration: Configuration, certificateValidationServic
       val clientSecret: String = get[String]("singleSignOn.openIdConnect.clientSecret")
       val scope: String = get[String]("singleSignOn.openIdConnect.scope")
       val verboseLoggingEnabled: Boolean = get[Boolean]("singleSignOn.openIdConnect.verboseLoggingEnabled")
+      val logoutRedirectUrl = getOptional[String]("singleSignOn.openIdConnect.logoutRedirectUrl")
     }
   }
 

conf/application.conf

@@ -142,6 +142,7 @@ singleSignOn {
       clientId = "myclient"
       clientSecret = "myClientSecret"
       scope = "openid profile email"
+      logoutRedirectUrl = null
       verboseLoggingEnabled = false # always set to false in production to avoid logging secrets
     }
 }

frontend/javascripts/admin/rest_api.ts

@@ -154,8 +154,8 @@ export async function loginUser(formValues: {
   return [activeUser, organization];
 }
 
-export async function logoutUser(): Promise<void> {
-  await Request.receiveJSON("/api/auth/logout", { method: "POST" });
+export async function logoutUser(): Promise<string> {
+  return await Request.receiveJSON("/api/auth/logout", { method: "POST" });
 }
 
 export async function logoutUserEverywhere(): Promise<void> {

frontend/javascripts/navbar.tsx

@@ -774,10 +774,10 @@ function Navbar({ isAuthenticated }: { isAuthenticated: boolean }) {
 
   const handleLogout = async (event: React.SyntheticEvent) => {
     event.preventDefault();
-    await logoutUser();
+    const redirectUrl = await logoutUser();
     Store.dispatch(logoutUserAction());
     // Hard navigation
-    location.href = "/";
+    location.href = redirectUrl;
   };
 
   const version = useFetch(getVersion, null, []);