Add to SAML logout logic

Signed-off-by: Craig Perkins <cwperx@amazon.com>
opensearch-project · Aug 27, 2024 · 1a47c48 · 1a47c48
1 parent 49d42b5
commit 1a47c48
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 9 deletions.
diff --git a/public/apps/account/utils.tsx b/public/apps/account/utils.tsx
@@ -43,11 +43,13 @@ export async function logout(http: HttpStart, logoutUrl?: string): Promise<void>
   setShouldShowTenantPopup(null);
   // Clear everything in the sessionStorage since they can contain sensitive information
   sessionStorage.clear();
-  const nextUrl = encodeURIComponent(
-    window.location.pathname + window.location.search + window.location.hash
-  );
-  window.location.href =
-    logoutUrl || `${http.basePath.serverBasePath}/app/login?nextUrl=${nextUrl}`;
+  if (logoutUrl) {
+    window.location.href = logoutUrl;
+  } else {
+    // when session timed out, user credentials in cookie are wiped out
+    // refresh the page will direct the user to go through login process
+    window.location.reload();
+  }
 }
 
 export async function externalLogout(http: HttpStart, logoutEndpoint: string): Promise<void> {

diff --git a/public/utils/logout-utils.tsx b/public/utils/logout-utils.tsx
@@ -38,7 +38,7 @@ export function interceptError(logoutUrl: string, thisWindow: Window): any {
           thisWindow.location.href = logoutUrl;
         } else {
           // when session timed out, user credentials in cookie are wiped out
-          // refres the page will direct the user to go through login process
+          // refresh the page will direct the user to go through login process
           thisWindow.location.reload();
         }
       }

diff --git a/server/auth/types/openid/routes.ts b/server/auth/types/openid/routes.ts
@@ -266,7 +266,7 @@ export class OpenIdAuthRoutes {
           ? tokenFromExtraStorage.split(' ')[1]
           : cookie?.credentials.authHeaderValue.split(' ')[1]; // get auth token
         let nextUrl = getBaseRedirectUrl(this.config, this.core, request);
-        if (request.url.searchParams.has('nextUrl')) {
+        if (request.url.searchParams.has('nextUrl') && !!request.url.searchParams.get('nextUrl')) {
           nextUrl = `${nextUrl}/app/login?nextUrl=${encodeURIComponent(
             request.url.searchParams.get('nextUrl') || ''
           )}`;

diff --git a/server/auth/types/saml/routes.ts b/server/auth/types/saml/routes.ts
@@ -392,9 +392,15 @@ export class SamlAuthRoutes {
             this.getExtraAuthStorageOptions(context.security_plugin.logger)
           );
           this.sessionStorageFactory.asScoped(request).clear();
+
+          let loginUrl = `${this.coreSetup.http.basePath.serverBasePath}/app/login`;
+          if (request.url.searchParams.has('nextUrl')) {
+            loginUrl = `${loginUrl}?nextUrl=${encodeURIComponent(
+              request.url.searchParams.get('nextUrl') || ''
+            )}`;
+          }
           // TODO: need a default logout page
-          const redirectUrl =
-            authInfo.sso_logout_url || this.coreSetup.http.basePath.serverBasePath || '/';
+          const redirectUrl = authInfo.sso_logout_url || loginUrl;
           return response.redirected({
             headers: {
               location: redirectUrl,