Revocation URL (#193)

- grabbing the revocation from the config or idp config
- updating the readme and changelog to reflect changes

CHANGELOG.md

 
+#### **2.0.4**
+
+FEATURES:
+ * Grabbing the revocation-url from the idp config if user override is not specified [#PR193](https://github.com/gambol99/keycloak-proxy/pull/193)
+
 #### **2.0.3**
 
-FEATURES
+FEATURES:
  * Adding the PROXY_ENCRYPTION_KEY environment varable [#PR191](https://github.com/gambol99/keycloak-proxy/pull/191)
 
 #### **2.0.2**

README.md

@@ -437,7 +437,7 @@ At present the only store supported are[Redis](https://github.com/antirez/redis)
 
 #### **Logout Endpoint**
 
-A /oauth/logout?redirect=url is provided as a helper to logout the users, aside from dropping a sessions cookies, we also attempt to revoke session access via revocation url (config revocation-url or --revocation-url) with the provider. For keycloak the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout, for google /oauth/revoke
+A /oauth/logout?redirect=url is provided as a helper to logout the users. Aside from dropping any sessions cookies, we also attempt to revoke access via revocation url (config revocation-url or --revocation-url) with the provider. For Keycloak the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout, for google /oauth/revoke. If the url is not specified we will attempt to grab the url from the OpenID discovery response.
 
 #### **Cross Origin Resource Sharing (CORS)**
 

handlers.go

@@ -306,13 +306,14 @@ func (r *oauthProxy) logoutHandler(cx *gin.Context) {
 		}()
 	}
 
+	// step: get the revocation endpoint from either the idp and or the user config
+	revocationURL := defaultTo(r.config.RevocationEndpoint, r.idp.EndSessionEndpoint.String())
+
 	// step: do we have a revocation endpoint?
-	if r.config.RevocationEndpoint != "" {
+	if revocationURL != "" {
 		client, err := r.client.OAuthClient()
 		if err != nil {
-			log.WithFields(log.Fields{
-				"error": err.Error(),
-			}).Errorf("unable to retrieve the openid client")
+			log.WithFields(log.Fields{"error": err.Error()}).Errorf("unable to retrieve the openid client")
 
 			cx.AbortWithStatus(http.StatusInternalServerError)
 			return
@@ -324,12 +325,10 @@ func (r *oauthProxy) logoutHandler(cx *gin.Context) {
 		encodedSecret := url.QueryEscape(r.config.ClientSecret)
 
 		// step: construct the url for revocation
-		request, err := http.NewRequest(http.MethodPost, r.config.RevocationEndpoint,
+		request, err := http.NewRequest(http.MethodPost, revocationURL,
 			bytes.NewBufferString(fmt.Sprintf("refresh_token=%s", identityToken)))
 		if err != nil {
-			log.WithFields(log.Fields{
-				"error": err.Error(),
-			}).Errorf("unable to construct the revocation request")
+			log.WithFields(log.Fields{"error": err.Error()}).Errorf("unable to construct the revocation request")
 
 			cx.AbortWithStatus(http.StatusInternalServerError)
 			return
@@ -342,9 +341,7 @@ func (r *oauthProxy) logoutHandler(cx *gin.Context) {
 		// step: attempt to make the
 		response, err := client.HttpClient().Do(request)
 		if err != nil {
-			log.WithFields(log.Fields{
-				"error": err.Error(),
-			}).Errorf("unable to post to revocation endpoint")
+			log.WithFields(log.Fields{"error": err.Error()}).Errorf("unable to post to revocation endpoint")
 
 			return
 		}