From 3425bc0349f54840f198c3fdbfef32f6bbc98e5d Mon Sep 17 00:00:00 2001
From: Florian <Sabonchi@posteo.de>
Date: Fri, 1 Mar 2024 07:39:01 +0100
Subject: [PATCH] Ensure that the OAuth2 session is logged out when users log
 out from pgAdmin. #7193

---
 web/config.py                      |  7 ++++++-
 web/pgadmin/authenticate/oauth2.py | 15 +++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/web/config.py b/web/config.py
index 84041cdd8..933671d6f 100644
--- a/web/config.py
+++ b/web/config.py
@@ -802,7 +802,12 @@ OAUTH2_CONFIG = [
         # for OAuth2 provider.
         # This may need to set False, in case of self-signed certificates.
         # Ref: https://github.com/psf/requests/issues/6071
-        'OAUTH2_SSL_CERT_VERIFICATION': True
+        'OAUTH2_SSL_CERT_VERIFICATION': True,
+        # set this variable to invalidate the session of the oauth2 provider
+        # Example for keycloak:
+        # 'OAUTH2_LOGOUT_URL':
+        # 'https://example.com/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri={redirect_uri}&id_token_hint={id_token}'
+        'OAUTH2_LOGOUT_URL': None
     }
 ]
 
diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py
index 91ac7c228..63c7c5dbc 100644
--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@@ -69,11 +69,21 @@ def init_app(app):
                      methods=['GET', 'POST'])
     @pgCSRFProtect.exempt
     def oauth_logout():
+        id_token = session['oauth2_token']['id_token']
+        logout_url = None
+        if 'oauth2_logout_url' in session:
+            logout_url = session['oauth2_logout_url']
+
         if not current_user.is_authenticated:
             return redirect(get_safe_post_logout_redirect())
         for key in list(session.keys()):
             session.pop(key)
+
         logout_user()
+        if logout_url:
+            return redirect(logout_url.format(
+                redirect_uri=request.url_root,
+                id_token=id_token))
         return redirect(get_safe_post_logout_redirect())
 
     app.register_blueprint(blueprint)
@@ -202,6 +212,11 @@ class OAuth2Authentication(BaseAuthentication):
 
         session['pass_enc_key'] = session['oauth2_token']['access_token']
 
+        if 'OAUTH2_LOGOUT_URL' in self.oauth2_config[
+                self.oauth2_current_client]:
+            session['oauth2_logout_url'] = self.oauth2_config[
+                self.oauth2_current_client]['OAUTH2_LOGOUT_URL']
+
         resp = self.oauth2_clients[self.oauth2_current_client].get(
             self.oauth2_config[
                 self.oauth2_current_client]['OAUTH2_USERINFO_ENDPOINT'],