From accca6061bf0e7527136c3275c9d8863695d9181 Mon Sep 17 00:00:00 2001 From: Jiang Yio Date: Fri, 22 Dec 2023 23:31:46 -0500 Subject: [PATCH 1/2] Support overriding `end_session_endpoint` using environment variable `GRIST_OIDC_IDP_END_SESSION_ENDPOINT` --- app/server/lib/OIDCConfig.ts | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/app/server/lib/OIDCConfig.ts b/app/server/lib/OIDCConfig.ts index 110183e862..0dd4813a3f 100644 --- a/app/server/lib/OIDCConfig.ts +++ b/app/server/lib/OIDCConfig.ts @@ -26,6 +26,9 @@ * If omitted, the name will either be the concatenation of "given_name" + "family_name" or the "name" attribute. * env GRIST_OIDC_SP_PROFILE_EMAIL_ATTR * The key of the attribute to use for the user's email. Defaults to "email". + * env GRIST_OIDC_IDP_END_SESSION_ENDPOINT + * If set, overrides the IdP's end_session_endpoint with an alternative URL to redirect user upon logout + * (for an IdP that has a logout endpoint but does not support the OIDC RP-Initiated Logout specification). * env GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT * If set to "true", on logout, there won't be any attempt to call the IdP's end_session_endpoint * (the user will remain logged in in the IdP). @@ -63,6 +66,7 @@ export class OIDCConfig { private _redirectUrl: string; private _namePropertyKey?: string; private _emailPropertyKey: string; + private _endSessionEndpoint: string; private _skipEndSessionEndpoint: boolean; private _ignoreEmailVerified: boolean; @@ -94,6 +98,11 @@ export class OIDCConfig { defaultValue: 'email', }); + this._endSessionEndpoint = section.flag('endSessionEndpoint').readString({ + envVar: 'GRIST_OIDC_IDP_END_SESSION_ENDPOINT', + defaultValue: '', + })!; + this._skipEndSessionEndpoint = section.flag('skipEndSessionEndpoint').readBool({ envVar: 'GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT', defaultValue: false, @@ -112,9 +121,10 @@ export class OIDCConfig { redirect_uris: [ this._redirectUrl ], response_types: [ 'code' ], }); - if (this._client.issuer.metadata.end_session_endpoint === undefined && !this._skipEndSessionEndpoint) { + if (this._client.issuer.metadata.end_session_endpoint === undefined && !this._endSessionEndpoint && !this._skipEndSessionEndpoint) { throw new Error('The Identity provider does not propose end_session_endpoint. ' + - 'If that is expected, please set GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true'); + 'If that is expected, please set GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true ' + + 'or provide an alternative logout URL in GRIST_OIDC_IDP_END_SESSION_ENDPOINT'); } log.info(`OIDCConfig: initialized with issuer ${issuerUrl}`); } @@ -187,6 +197,10 @@ export class OIDCConfig { if (this._skipEndSessionEndpoint) { return redirectUrl.href; } + // Alternatively, we could use a logout URL specified by configuration. + if (this._endSessionEndpoint) { + return this._endSessionEndpoint; + } return this._client.endSessionUrl({ post_logout_redirect_uri: redirectUrl.href }); From 191a32962f61fa991be55a22f783cce92d6ef13a Mon Sep 17 00:00:00 2001 From: Jiang Yio Date: Sat, 23 Dec 2023 00:39:07 -0500 Subject: [PATCH 2/2] Appease eslint ``` /home/runner/work/grist-core/grist-core/app/server/lib/OIDCConfig.ts Warning: 124:1 warning This line has a length of 136. Maximum allowed is 120 max-len ``` --- app/server/lib/OIDCConfig.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/server/lib/OIDCConfig.ts b/app/server/lib/OIDCConfig.ts index 0dd4813a3f..86f78bce20 100644 --- a/app/server/lib/OIDCConfig.ts +++ b/app/server/lib/OIDCConfig.ts @@ -121,7 +121,8 @@ export class OIDCConfig { redirect_uris: [ this._redirectUrl ], response_types: [ 'code' ], }); - if (this._client.issuer.metadata.end_session_endpoint === undefined && !this._endSessionEndpoint && !this._skipEndSessionEndpoint) { + if (this._client.issuer.metadata.end_session_endpoint === undefined && + !this._endSessionEndpoint && !this._skipEndSessionEndpoint) { throw new Error('The Identity provider does not propose end_session_endpoint. ' + 'If that is expected, please set GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true ' + 'or provide an alternative logout URL in GRIST_OIDC_IDP_END_SESSION_ENDPOINT');