From 277ef258d4b9a5acdf2932347c6a4ca72d739b28 Mon Sep 17 00:00:00 2001 From: "grafana-delivery-bot[bot]" <132647405+grafana-delivery-bot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 09:34:53 +0200 Subject: [PATCH] [v11.0.x] AuthN: Fix signout redirect url (#87681) * AuthN: Fix signout redirect url (#87631) * Add missing return * Use sign out redirect url from auth config if configured * remove option from auth.jwt that is not used (cherry picked from commit 0f3080ecb89b4e12534e16dd56122d600addd80e) --------- Co-authored-by: Karl Persson --- conf/defaults.ini | 1 - pkg/api/login.go | 1 + pkg/services/authn/authnimpl/service.go | 5 ++++- pkg/services/authn/authnimpl/service_test.go | 15 ++++++++++++++- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/conf/defaults.ini b/conf/defaults.ini index a6816edc769..d15ceb1db10 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -867,7 +867,6 @@ auto_sign_up = false url_login = false allow_assign_grafana_admin = false skip_org_role_sync = false -signout_redirect_url = #################################### Auth LDAP ########################### [auth.ldap] diff --git a/pkg/api/login.go b/pkg/api/login.go index 8e5d570044d..697ebfdd65a 100644 --- a/pkg/api/login.go +++ b/pkg/api/login.go @@ -261,6 +261,7 @@ func (hs *HTTPServer) Logout(c *contextmodel.ReqContext) { if err != nil { hs.log.Error("Failed perform proper logout", "error", err) c.Redirect(hs.Cfg.AppSubURL + "/login") + return } _, id := c.SignedInUser.GetNamespacedID() diff --git a/pkg/services/authn/authnimpl/service.go b/pkg/services/authn/authnimpl/service.go index 48690e919cd..1aecec43a3a 100644 --- a/pkg/services/authn/authnimpl/service.go +++ b/pkg/services/authn/authnimpl/service.go @@ -347,6 +347,9 @@ func (s *Service) Logout(ctx context.Context, user identity.Requester, sessionTo defer span.End() redirect := &authn.Redirect{URL: s.cfg.AppSubURL + "/login"} + if s.cfg.SignoutRedirectUrl != "" { + redirect.URL = s.cfg.SignoutRedirectUrl + } namespace, id := user.GetNamespacedID() if namespace != authn.NamespaceUser { @@ -384,7 +387,7 @@ func (s *Service) Logout(ctx context.Context, user identity.Requester, sessionTo } Default: - if err = s.sessionService.RevokeToken(ctx, sessionToken, false); err != nil { + if err = s.sessionService.RevokeToken(ctx, sessionToken, false); err != nil && !errors.Is(err, auth.ErrUserTokenNotFound) { return nil, err } diff --git a/pkg/services/authn/authnimpl/service_test.go b/pkg/services/authn/authnimpl/service_test.go index b053569d5ee..08b7f8b6af6 100644 --- a/pkg/services/authn/authnimpl/service_test.go +++ b/pkg/services/authn/authnimpl/service_test.go @@ -311,7 +311,8 @@ func TestService_Logout(t *testing.T) { sessionToken *usertoken.UserToken info *login.UserAuth - client authn.Client + client authn.Client + signoutRedirectURL string expectedErr error expectedTokenRevoked bool @@ -345,6 +346,14 @@ func TestService_Logout(t *testing.T) { client: &authntest.FakeClient{ExpectedName: "auth.client.azuread"}, expectedTokenRevoked: true, }, + { + desc: "should use signout redirect url if configured", + identity: &authn.Identity{ID: authn.NamespacedID(authn.NamespaceUser, 1), AuthenticatedBy: "azuread"}, + expectedRedirect: &authn.Redirect{URL: "some-url"}, + client: &authntest.FakeClient{ExpectedName: "auth.client.azuread"}, + signoutRedirectURL: "some-url", + expectedTokenRevoked: true, + }, { desc: "should redirect to client specific url", identity: &authn.Identity{ID: authn.NamespacedID(authn.NamespaceUser, 1)}, @@ -381,6 +390,10 @@ func TestService_Logout(t *testing.T) { return nil }, } + + if tt.signoutRedirectURL != "" { + svc.cfg.SignoutRedirectUrl = tt.signoutRedirectURL + } }) redirect, err := s.Logout(context.Background(), tt.identity, tt.sessionToken)