outposts/proxy: always redirect to session-end interface on sign_out

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

outpost/pkg/proxy/api.go

@@ -32,6 +32,7 @@ func (s *Server) bundleProviders(providers []api.ProxyOutpostConfig) []*provider
 			s:             s,
 			Host:          externalHost.Host,
 			log:           log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name),
+			endSessionUrl: provider.OidcConfiguration.EndSessionEndpoint,
 		}
 		bundles[idx].Build(provider)
 	}

outpost/pkg/proxy/api_bundle.go

@@ -25,6 +25,8 @@ type providerBundle struct {
 	proxy *OAuthProxy
 	Host  string
 
+	endSessionUrl string
+
 	cert *tls.Certificate
 
 	log *log.Entry
@@ -155,6 +157,7 @@ func (pb *providerBundle) Build(provider api.ProxyOutpostConfig) {
 		oauthproxy.BasicAuthPasswordAttribute = *provider.BasicAuthPasswordAttribute
 	}
 
+	oauthproxy.endSessionEndpoint = pb.endSessionUrl
 	oauthproxy.ExternalHost = pb.Host
 
 	pb.proxy = oauthproxy

outpost/pkg/proxy/proxy.go

@@ -65,7 +65,12 @@ type OAuthProxy struct {
 	AuthOnlyPath      string
 	UserInfoPath      string
 
+	endSessionEndpoint         string
 	mode                       api.ProxyMode
+	BasicAuthUserAttribute     string
+	BasicAuthPasswordAttribute string
+	ExternalHost               string
+
 	redirectURL             *url.URL // the url to receive requests at
 	whitelistDomains        []string
 	provider                providers.Provider
@@ -75,9 +80,6 @@ type OAuthProxy struct {
 	SetXAuthRequest         bool
 	SetBasicAuth            bool
 	PassUserHeaders         bool
-	BasicAuthUserAttribute     string
-	BasicAuthPasswordAttribute string
-	ExternalHost               string
 	PassAccessToken         bool
 	SetAuthorization        bool
 	PassAuthorization       bool
@@ -285,19 +287,13 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {
 
 // SignOut sends a response to clear the authentication cookie
 func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
-	redirect, err := p.GetRedirect(req)
+	err := p.ClearSessionCookie(rw, req)
-	if err != nil {
-		p.logger.Errorf("Error obtaining redirect: %v", err)
-		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
-		return
-	}
-	err = p.ClearSessionCookie(rw, req)
 	if err != nil {
 		p.logger.Errorf("Error clearing session cookie: %v", err)
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
 		return
 	}
-	http.Redirect(rw, req, redirect, http.StatusFound)
+	http.Redirect(rw, req, p.endSessionEndpoint, http.StatusFound)
 }
 
 // AuthenticateOnly checks whether the user is currently logged in

tests/e2e/test_provider_proxy.py

@@ -119,6 +119,13 @@ class TestProviderProxy(SeleniumTestCase):
         self.assertIn("X-Forwarded-Preferred-Username: akadmin", full_body_text)
         self.assertIn("X-Foo: bar", full_body_text)
 
+        self.driver.get("http://localhost:4180/akprox/sign_out")
+        sleep(2)
+        full_body_text = self.driver.find_element(
+            By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl"
+        ).text
+        self.assertIn("You've logged out of proxy.", full_body_text)
+
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
 class TestProviderProxyConnect(ChannelsLiveServerTestCase):