From 7dc50d6acab0388d74bddf7eca0daf273f375d91 Mon Sep 17 00:00:00 2001 From: Rohith Date: Fri, 10 Feb 2017 11:45:27 +0000 Subject: [PATCH] Revocation URL - grabbing the revocation from the config or idp config - updating the readme and changelog to reflect changes --- CHANGELOG.md | 7 ++++++- README.md | 2 +- handlers.go | 19 ++++++++----------- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 775e4821..90ee419b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,12 @@ +#### **2.0.4** + +FEATURES: + * Grabbing the revocation-url from the idp config if user override is not specified [#PR193](https://github.com/gambol99/keycloak-proxy/pull/193) + #### **2.0.3** -FEATURES +FEATURES: * Adding the PROXY_ENCRYPTION_KEY environment varable [#PR191](https://github.com/gambol99/keycloak-proxy/pull/191) #### **2.0.2** diff --git a/README.md b/README.md index ff30ab17..e450dfcd 100644 --- a/README.md +++ b/README.md @@ -437,7 +437,7 @@ At present the only store supported are[Redis](https://github.com/antirez/redis) #### **Logout Endpoint** -A /oauth/logout?redirect=url is provided as a helper to logout the users, aside from dropping a sessions cookies, we also attempt to revoke session access via revocation url (config revocation-url or --revocation-url) with the provider. For keycloak the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout, for google /oauth/revoke +A /oauth/logout?redirect=url is provided as a helper to logout the users. Aside from dropping any sessions cookies, we also attempt to revoke access via revocation url (config revocation-url or --revocation-url) with the provider. For Keycloak the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout, for google /oauth/revoke. If the url is not specified we will attempt to grab the url from the OpenID discovery response. #### **Cross Origin Resource Sharing (CORS)** diff --git a/handlers.go b/handlers.go index c14f551b..9291e47b 100644 --- a/handlers.go +++ b/handlers.go @@ -306,13 +306,14 @@ func (r *oauthProxy) logoutHandler(cx *gin.Context) { }() } + // step: get the revocation endpoint from either the idp and or the user config + revocationURL := defaultTo(r.config.RevocationEndpoint, r.idp.EndSessionEndpoint.String()) + // step: do we have a revocation endpoint? - if r.config.RevocationEndpoint != "" { + if revocationURL != "" { client, err := r.client.OAuthClient() if err != nil { - log.WithFields(log.Fields{ - "error": err.Error(), - }).Errorf("unable to retrieve the openid client") + log.WithFields(log.Fields{"error": err.Error()}).Errorf("unable to retrieve the openid client") cx.AbortWithStatus(http.StatusInternalServerError) return @@ -324,12 +325,10 @@ func (r *oauthProxy) logoutHandler(cx *gin.Context) { encodedSecret := url.QueryEscape(r.config.ClientSecret) // step: construct the url for revocation - request, err := http.NewRequest(http.MethodPost, r.config.RevocationEndpoint, + request, err := http.NewRequest(http.MethodPost, revocationURL, bytes.NewBufferString(fmt.Sprintf("refresh_token=%s", identityToken))) if err != nil { - log.WithFields(log.Fields{ - "error": err.Error(), - }).Errorf("unable to construct the revocation request") + log.WithFields(log.Fields{"error": err.Error()}).Errorf("unable to construct the revocation request") cx.AbortWithStatus(http.StatusInternalServerError) return @@ -342,9 +341,7 @@ func (r *oauthProxy) logoutHandler(cx *gin.Context) { // step: attempt to make the response, err := client.HttpClient().Do(request) if err != nil { - log.WithFields(log.Fields{ - "error": err.Error(), - }).Errorf("unable to post to revocation endpoint") + log.WithFields(log.Fields{"error": err.Error()}).Errorf("unable to post to revocation endpoint") return }