AuthN: Fix signout redirect url (#87631)

* Add missing return

* Use sign out redirect url from auth config if configured

* remove option from auth.jwt that is not used

conf/defaults.ini

@@ -875,7 +875,6 @@ auto_sign_up = false
 url_login = false
 allow_assign_grafana_admin = false
 skip_org_role_sync = false
-signout_redirect_url =
 
 #################################### Auth LDAP ###########################
 [auth.ldap]

pkg/api/login.go

@@ -254,6 +254,7 @@ func (hs *HTTPServer) Logout(c *contextmodel.ReqContext) {
 	if err != nil {
 		hs.log.Error("Failed perform proper logout", "error", err)
 		c.Redirect(hs.Cfg.AppSubURL + "/login")
+		return
 	}
 
 	_, id := c.SignedInUser.GetNamespacedID()

pkg/services/authn/authnimpl/service.go

@@ -17,7 +17,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/infra/usagestats"
 	"github.com/grafana/grafana/pkg/services/auth"
-	"github.com/grafana/grafana/pkg/services/auth/identity"
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/authn/clients"
 	"github.com/grafana/grafana/pkg/services/user"
@@ -265,15 +264,17 @@ func (s *Service) Logout(ctx context.Context, user authn.Requester, sessionToken
 	defer span.End()
 
 	redirect := &authn.Redirect{URL: s.cfg.AppSubURL + "/login"}
+	if s.cfg.SignoutRedirectUrl != "" {
+		redirect.URL = s.cfg.SignoutRedirectUrl
+	}
 
-	namespace, id := user.GetNamespacedID()
+	if !user.GetID().IsNamespace(authn.NamespaceUser) {
-	if namespace != authn.NamespaceUser {
 		return redirect, nil
 	}
 
-	userID, err := identity.IntIdentifier(namespace, id)
+	id, err := user.GetID().ParseInt()
 	if err != nil {
-		s.log.FromContext(ctx).Debug("Invalid user id", "id", userID, "err", err)
+		s.log.FromContext(ctx).Debug("Invalid user id", "id", id, "err", err)
 		return redirect, nil
 	}
 
@@ -301,7 +302,7 @@ func (s *Service) Logout(ctx context.Context, user authn.Requester, sessionToken
 	}
 
 Default:
-	if err = s.sessionService.RevokeToken(ctx, sessionToken, false); err != nil {
+	if err = s.sessionService.RevokeToken(ctx, sessionToken, false); err != nil && !errors.Is(err, auth.ErrUserTokenNotFound) {
 		return nil, err
 	}
 

pkg/services/authn/authnimpl/service_test.go

@@ -410,6 +410,7 @@ func TestService_Logout(t *testing.T) {
 		sessionToken *usertoken.UserToken
 
 		client             authn.Client
+		signoutRedirectURL string
 
 		expectedErr          error
 		expectedTokenRevoked bool
@@ -441,6 +442,14 @@ func TestService_Logout(t *testing.T) {
 			client:               &authntest.FakeClient{ExpectedName: "auth.client.azuread"},
 			expectedTokenRevoked: true,
 		},
+		{
+			desc:                 "should use signout redirect url if configured",
+			identity:             &authn.Identity{ID: authn.NewNamespaceID(authn.NamespaceUser, 1), AuthenticatedBy: "azuread"},
+			expectedRedirect:     &authn.Redirect{URL: "some-url"},
+			client:               &authntest.FakeClient{ExpectedName: "auth.client.azuread"},
+			signoutRedirectURL:   "some-url",
+			expectedTokenRevoked: true,
+		},
 		{
 			desc:             "should redirect to client specific url",
 			identity:         &authn.Identity{ID: authn.NewNamespaceID(authn.NamespaceUser, 1), AuthenticatedBy: "azuread"},
@@ -473,6 +482,10 @@ func TestService_Logout(t *testing.T) {
 						return nil
 					},
 				}
+
+				if tt.signoutRedirectURL != "" {
+					svc.cfg.SignoutRedirectUrl = tt.signoutRedirectURL
+				}
 			})
 
 			redirect, err := s.Logout(context.Background(), tt.identity, tt.sessionToken)