Ensure that the OAuth2 session is logged out when users log out from pgAdmin. #7193

2025-01-07 22:53:45 -06:00 · 2024-03-01 07:39:01 +01:00 · 2024-03-01 07:39:01 +01:00 · 3425bc0349
commit 3425bc0349
parent 7593bb98c1
2 changed files with 21 additions and 1 deletions
--- a/web/config.py
+++ b/web/config.py
@ -802,7 +802,12 @@ OAUTH2_CONFIG = [
        # for OAuth2 provider.
        # This may need to set False, in case of self-signed certificates.
        # Ref: https://github.com/psf/requests/issues/6071
-        'OAUTH2_SSL_CERT_VERIFICATION': True
+        'OAUTH2_SSL_CERT_VERIFICATION': True,
+        # set this variable to invalidate the session of the oauth2 provider
+        # Example for keycloak:
+        # 'OAUTH2_LOGOUT_URL':
+        # 'https://example.com/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri={redirect_uri}&id_token_hint={id_token}'
+        'OAUTH2_LOGOUT_URL': None
    }
 ]

--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@ -69,11 +69,21 @@ def init_app(app):
                     methods=['GET', 'POST'])
    @pgCSRFProtect.exempt
    def oauth_logout():
+        id_token = session['oauth2_token']['id_token']
+        logout_url = None
+        if 'oauth2_logout_url' in session:
+            logout_url = session['oauth2_logout_url']
+
        if not current_user.is_authenticated:
            return redirect(get_safe_post_logout_redirect())
        for key in list(session.keys()):
            session.pop(key)
+
        logout_user()
+        if logout_url:
+            return redirect(logout_url.format(
+                redirect_uri=request.url_root,
+                id_token=id_token))
        return redirect(get_safe_post_logout_redirect())

    app.register_blueprint(blueprint)
@ -202,6 +212,11 @@ class OAuth2Authentication(BaseAuthentication):

        session['pass_enc_key'] = session['oauth2_token']['access_token']

+        if 'OAUTH2_LOGOUT_URL' in self.oauth2_config[
+                self.oauth2_current_client]:
+            session['oauth2_logout_url'] = self.oauth2_config[
+                self.oauth2_current_client]['OAUTH2_LOGOUT_URL']
+
        resp = self.oauth2_clients[self.oauth2_current_client].get(
            self.oauth2_config[
                self.oauth2_current_client]['OAUTH2_USERINFO_ENDPOINT'],