fix(auth): trigger RP-initiated logout at OIDC provider

2026-06-01 19:59:52 +02:00 · 2026-06-01 19:59:52 +02:00 · ba66bc15db
commit ba66bc15db
parent 22955bdd9e
4 changed files with 192 additions and 6 deletions
--- a/lib/mv/oidc/discovery.ex
+++ b/lib/mv/oidc/discovery.ex
@ -0,0 +1,88 @@
+defmodule Mv.Oidc.Discovery do
+  @moduledoc """
+  Fetches and caches the OIDC provider's discovery document
+  (`/.well-known/openid-configuration`).
+
+  Currently only `end_session_endpoint` is exposed — used by the logout flow to
+  trigger RP-initiated logout at the IdP so the user's SSO session is cleared
+  and they don't get auto-re-logged-in.
+
+  Cache lives in `:persistent_term`, keyed by base URL, for the lifetime of the
+  BEAM. Re-fetch on next call after `clear_cache/0`.
+  """
+
+  require Logger
+
+  @persistent_term_key {__MODULE__, :discovery}
+  @request_timeout 5_000
+
+  @doc """
+  Returns the IdP's `end_session_endpoint` URL.
+
+  - `{:ok, url}` if discovery succeeds (and is cached for future calls)
+  - `{:error, reason}` if the IdP is unreachable, the document is malformed,
+    or the field is missing
+  """
+  @spec end_session_endpoint(String.t()) :: {:ok, String.t()} | {:error, term()}
+  def end_session_endpoint(base_url) when is_binary(base_url) do
+    case fetch_cached(base_url) do
+      {:ok, %{"end_session_endpoint" => url}} when is_binary(url) -> {:ok, url}
+      {:ok, _config} -> {:error, :no_end_session_endpoint}
+      {:error, _} = err -> err
+    end
+  end
+
+  @doc """
+  Clears the cached discovery documents. Intended for tests.
+  """
+  @spec clear_cache() :: :ok
+  def clear_cache do
+    :persistent_term.erase(@persistent_term_key)
+    :ok
+  end
+
+  @doc """
+  Seeds the cache with a fixed result for a base URL. Intended for tests so the
+  HTTP fetch is skipped.
+  """
+  @spec put_cache(String.t(), {:ok, map()} | {:error, term()}) :: :ok
+  def put_cache(base_url, result) when is_binary(base_url) do
+    cache = :persistent_term.get(@persistent_term_key, %{})
+    :persistent_term.put(@persistent_term_key, Map.put(cache, base_url, result))
+    :ok
+  end
+
+  defp fetch_cached(base_url) do
+    cache = :persistent_term.get(@persistent_term_key, %{})
+
+    case Map.fetch(cache, base_url) do
+      {:ok, result} ->
+        result
+
+      :error ->
+        result = fetch(base_url)
+        :persistent_term.put(@persistent_term_key, Map.put(cache, base_url, result))
+        result
+    end
+  end
+
+  defp fetch(base_url) do
+    url = String.trim_trailing(base_url, "/") <> "/.well-known/openid-configuration"
+
+    case Req.get(url,
+           receive_timeout: @request_timeout,
+           connect_options: [timeout: @request_timeout]
+         ) do
+      {:ok, %Req.Response{status: 200, body: body}} when is_map(body) ->
+        {:ok, body}
+
+      {:ok, %Req.Response{status: status}} ->
+        Logger.warning("OIDC discovery returned HTTP #{status} for #{url}")
+        {:error, {:http_status, status}}
+
+      {:error, reason} ->
+        Logger.warning("OIDC discovery request failed for #{url}: #{inspect(reason)}")
+        {:error, reason}
+    end
+  end
+end
--- a/lib/mv_web/controllers/auth_controller.ex
+++ b/lib/mv_web/controllers/auth_controller.ex
@ -16,6 +16,7 @@ defmodule MvWeb.AuthController do

  alias Mv.Accounts.User.Errors.PasswordVerificationRequired
  alias Mv.Config
+  alias Mv.Oidc.Discovery

  def success(conn, {:password, :sign_in} = _activity, user, token) do
    if Config.oidc_only?() do
@ -337,11 +338,28 @@ defmodule MvWeb.AuthController do
  defp redact_url(_), do: "[redacted]"

  def sign_out(conn, _params) do
-    return_to = get_session(conn, :return_to) || ~p"/"
+    conn = clear_session(conn, :mv) |> put_flash(:success, gettext("You are now signed out"))

-    conn
-    |> clear_session(:mv)
-    |> put_flash(:success, gettext("You are now signed out"))
-    |> redirect(to: return_to)
+    case oidc_end_session_url() do
+      {:ok, url} ->
+        redirect(conn, external: url)
+
+      :no_oidc ->
+        redirect(conn, to: get_session(conn, :return_to) || ~p"/")
+
+      {:error, _reason} ->
+        # IdP discovery failed — fall back to local logout. The user's IdP session
+        # is still active, so OIDC_ONLY setups may auto-re-login. Better than
+        # blocking logout entirely.
+        redirect(conn, to: ~p"/sign-in?oidc_failed=1")
+    end
+  end
+
+  defp oidc_end_session_url do
+    if Config.oidc_configured?() do
+      Discovery.end_session_endpoint(Config.oidc_base_url())
+    else
+      :no_oidc
+    end
  end
 end