Merge pull request #667 from zengyan-amazon/logout-query

Allow adding query parameters to OIDC logout url

Author: zengyan-amazon

server/auth/types/openid/helper.test.ts

@@ -0,0 +1,58 @@
+/*
+ *   Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { composeLogoutUrl } from './helper';
+
+describe('test OIDC helper utility', () => {
+  test('test compose logout url', () => {
+    const idpEndSessionUrl = 'https://idp.com/path';
+    const customLogoutUrl = 'https://customurl.com/path';
+    const additionalQuery = { key: 'value' };
+
+    expect('https://customurl.com/path?key=value').toEqual(
+      composeLogoutUrl(customLogoutUrl, idpEndSessionUrl, additionalQuery)
+    );
+  });
+
+  test('test compose logout url when no custom logout url', () => {
+    const idpEndSessionUrl = 'https://idp.com/path';
+    const customLogoutUrl = '';
+    const additionalQuery = { key: 'value' };
+
+    expect('https://idp.com/path?key=value').toEqual(
+      composeLogoutUrl(customLogoutUrl, idpEndSessionUrl, additionalQuery)
+    );
+  });
+
+  test('test compse logout url when custom url has query parameter', () => {
+    const idpEndSessionUrl = 'https://idp.com/path';
+    const customLogoutUrl = 'https://customurl.com/path?a=b';
+    const additionalQuery = { key: 'value' };
+
+    expect('https://customurl.com/path?a=b&key=value').toEqual(
+      composeLogoutUrl(customLogoutUrl, idpEndSessionUrl, additionalQuery)
+    );
+  });
+
+  test('test compse logout url when idp end session url has query parameter', () => {
+    const idpEndSessionUrl = 'https://idp.com/path?a=b';
+    const customLogoutUrl = '';
+    const additionalQuery = { key: 'value' };
+
+    expect('https://idp.com/path?a=b&key=value').toEqual(
+      composeLogoutUrl(customLogoutUrl, idpEndSessionUrl, additionalQuery)
+    );
+  });
+});

server/auth/types/openid/helper.ts

@@ -70,6 +70,19 @@ export async function callTokenEndpoint(tokenEndpoint: string, query: any): Prom
   };
 }
 
+export function composeLogoutUrl(
+  customLogoutUrl: string | undefined,
+  idpEndsessionEndpoint: string | undefined,
+  additionalQueryParams: any
+) {
+  const logoutEndpont = customLogoutUrl || idpEndsessionEndpoint;
+  const logoutUrl = new URL(logoutEndpont!);
+  Object.keys(additionalQueryParams).forEach((key) => {
+    logoutUrl.searchParams.append(key, additionalQueryParams[key] as string);
+  });
+  return logoutUrl.toString();
+}
+
 export interface TokenResponse {
   idToken?: string;
   accessToken?: string;

server/auth/types/openid/routes.ts

@@ -26,7 +26,7 @@ import { SecuritySessionCookie } from '../../../session/security_cookie';
 import { SecurityPluginConfigType } from '../../..';
 import { OpenIdAuthConfig } from './openid_auth';
 import { SecurityClient } from '../../../backend/opendistro_security_client';
-import { getBaseRedirectUrl, callTokenEndpoint } from './helper';
+import { getBaseRedirectUrl, callTokenEndpoint, composeLogoutUrl } from './helper';
 import { validateNextUrl } from '../../../utils/next_url';
 
 export class OpenIdAuthRoutes {
@@ -190,9 +190,11 @@ export class OpenIdAuthRoutes {
           id_token_hint: token,
         };
 
-        const logoutBaseUri =
-          this.config.openid?.logout_url || this.openIdAuthConfig.endSessionEndpoint;
-        const endSessionUrl = `${logoutBaseUri}?${stringify(logoutQueryParams)}`;
+        const endSessionUrl = composeLogoutUrl(
+          this.config.openid?.logout_url,
+          this.openIdAuthConfig.endSessionEndpoint,
+          logoutQueryParams
+        );
 
         return response.redirected({
           headers: {