fix(auth): trigger RP-initiated logout at OIDC provider

2026-06-01 19:59:52 +02:00 · 2026-06-01 19:59:52 +02:00 · ba66bc15db
commit ba66bc15db
parent 22955bdd9e
4 changed files with 192 additions and 6 deletions
--- a/lib/mv_web/controllers/auth_controller.ex
+++ b/lib/mv_web/controllers/auth_controller.ex
@ -16,6 +16,7 @@ defmodule MvWeb.AuthController do

  alias Mv.Accounts.User.Errors.PasswordVerificationRequired
  alias Mv.Config
+  alias Mv.Oidc.Discovery

  def success(conn, {:password, :sign_in} = _activity, user, token) do
    if Config.oidc_only?() do
@ -337,11 +338,28 @@ defmodule MvWeb.AuthController do
  defp redact_url(_), do: "[redacted]"

  def sign_out(conn, _params) do
-    return_to = get_session(conn, :return_to) || ~p"/"
+    conn = clear_session(conn, :mv) |> put_flash(:success, gettext("You are now signed out"))

-    conn
-    |> clear_session(:mv)
-    |> put_flash(:success, gettext("You are now signed out"))
-    |> redirect(to: return_to)
+    case oidc_end_session_url() do
+      {:ok, url} ->
+        redirect(conn, external: url)
+
+      :no_oidc ->
+        redirect(conn, to: get_session(conn, :return_to) || ~p"/")
+
+      {:error, _reason} ->
+        # IdP discovery failed — fall back to local logout. The user's IdP session
+        # is still active, so OIDC_ONLY setups may auto-re-login. Better than
+        # blocking logout entirely.
+        redirect(conn, to: ~p"/sign-in?oidc_failed=1")
+    end
+  end
+
+  defp oidc_end_session_url do
+    if Config.oidc_configured?() do
+      Discovery.end_session_endpoint(Config.oidc_base_url())
+    else
+      :no_oidc
+    end
  end
 end