Provider Logout Redirect (#327)

* Provider Logout Redirect - adding the --enable-logout-redirect cli to permit redirecting to the provider logout - updated the changelog * - fixed some of the spelling mistakes in the CHANGELOG

Provider Logout Redirect (#327)
d6af5224 · Rohith Jayawardene · GitHub · 5705f8ea · d6af5224 · d6af5224
Unverified Commit d6af5224 authored Mar 8, 2018 by Rohith Jayawardene Committed by GitHub Mar 8, 2018
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,11 +2,12 @@
 #### **2.1.2 (Unreleased)**
 FEATURES:
 * Added a --enable-default-deny option to make denial by default [#PR320](https://github.com/gambol99/keycloak-proxy/pull/320)
 * Added metrics latency metrics for the forwarding proxy and the certificate rotation [#PR325](https://github.com/gambol99/keycloak-proxy/pull/325)
 * Added spelling check to the tests [#PR322](https://github.com/gambol99/keycloak-proxy/pull/322)
 * Added the X-Auth-Audience to the upstream headers [#PR319](https://github.com/gambol99/keycloak-proxy/pull/319)
 * Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration [#PR315](https://github.com/gambol99/keycloak-proxy/pull/315)
+* Added a `enable-logout-redirect` which redirects the /oauth/logout to the provider [#PR327](https://github.com/gambol99/keycloak-proxy/pull/327)
 * Adding additional metrics covering provider request latency, token breakdown [#PR324](https://github.com/gambol99/keycloak-proxy/pull/324)
 * Added environment variables alternatives for the forwarding username and password [#PR329]https://github.com/gambol99/keycloak-proxy/pull/329)
 * Changed the upstream-keepalive to default to true [#PR321](https://github.com/gambol99/keycloak-proxy/pull/321)
@@ -133,7 +134,7 @@ FIXES:
 * Fixed the --headers and --tags command line options, had a typo on the mergeMaps method [#PR142](https://github.com/gambol99/keycloak-proxy/pull/142)
 * Cleaned up how the cli command line options are processed [#PR164](https://github.com/gambol99/keycloak-proxy/pull/164)
 * Cleaned up the option checking for forwarding proxy tls setting [#PR163](https://github.com/gambol99/keycloak-proxy/pull/163)
- * Using timeout rather than muliple attempts for discovery url [#PR153](https://github.com/gambol99/keycloak-proxy/pull/153)
+ * Using timeout rather than multiple attempts for discovery url [#PR153](https://github.com/gambol99/keycloak-proxy/pull/153)
 * Updated the go-oidc library with various fixes [#PR159](https://github.com/gambol99/keycloak-proxy/pull/159)
 BREAKING CHANGES:
@@ -202,7 +203,7 @@ CHANGES:
 * Updated the godeps for codegangsta cli to it's renamed version
 FIXES:
- * Fixed the environment variable command line options, the IsSet in cli does not check enviroment
+ * Fixed the environment variable command line options, the IsSet in cli does not check environment
   variable setters
 #### **1.2.2**
@@ -287,7 +288,7 @@ BREAKING CHANGES:
 #### **1.0.2 (April 22th, 2016)**
 FIXES:
- * Cleaned up a lot of code base to make this simplier
+ * Cleaned up a lot of code base to make this simpler
 * Fixed elements in the refresh tokens and simplified the controller
 * Removed of the code out from methods into functions to reduce the dependencies (unit testing is easier as well)
 * Fixed how the refresh tokens are implemented, i was somewhat confused between refresh token and offline token

--- a/doc.go
+++ b/doc.go
@@ -176,6 +176,8 @@ type Config struct {
 	// Headers permits adding customs headers across the board
 	Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"`
+	// EnableLogoutRedirect indicates we should redirect to the identity provider for logging out
+	EnableLogoutRedirect bool `json:"enable-logout-redirect" yaml:"enable-logout-redirect" usage:"indicates we should redirect to the identity provider for logging out"`
 	// EnableDefaultDeny indicates we should deny by default all requests
 	EnableDefaultDeny bool `json:"enable-default-deny" yaml:"enable-default-deny" usage:"enables a default denial on all requests, you have to explicitly say what is permitted (recommended)"`
 	// EnableEncryptedToken indicates the access token should be encoded

--- a/handlers.go
+++ b/handlers.go
@@ -315,6 +315,16 @@ func (r *oauthProxy) logoutHandler(w http.ResponseWriter, req *http.Request) {
 	}
 	revocationURL := defaultTo(r.config.RevocationEndpoint, revokeDefault)
+	// @check if we should redirect to the provider
+	if r.config.EnableLogoutRedirect {
+		redirectURL := fmt.Sprintf("%s/protocol/openid-connect/logout?redirect_uri=%s",
+			strings.TrimSuffix(r.config.DiscoveryURL, "/.well-known/openid-configuration"), redirectURL)
+		r.redirectToURL(redirectURL, w, req)
+		return
+	}
 	// step: do we have a revocation endpoint?
 	if revocationURL != "" {
 		client, err := r.client.OAuthClient()