feat: support OIDC logout with Coder logout

esifea · esifea · commit 6bffc22127a0 · 2025-03-25T07:44:32.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -1136,6 +1136,7 @@ func New(options *Options) *API {
 				r.Post("/", api.postUser)
 				r.Get("/", api.users)
 				r.Post("/logout", api.postLogout)
+				r.Get("/oidc-logout", api.userOIDCLogoutURL)
 				// These routes query information about site wide roles.
 				r.Route("/roles", func(r chi.Router) {
 					r.Get("/", api.AssignableSiteRoles)
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/mail"
+	"net/url"
 	"sort"
 	"strconv"
 	"strings"
@@ -743,6 +744,95 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	})
 }
 
+// Returns the OIDC logout URL.
+//
+// @Summary Returns URL for the OIDC logout
+// @ID user-oidc-logout
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Users
+// @Success 200 {object} map[string]string "Returns a map containing the OIDC logout URL"
+// @Router /users/oidc-logout [get]
+func (api *API) userOIDCLogoutURL(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	// Get logged-in user
+	apiKey := httpmw.APIKey(r)
+	user, err := api.Database.GetUserByID(ctx, apiKey.UserID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
+			Message: "Failed to retrieve user information.",
+		})
+		return
+	}
+
+	// Retrieve the user's OAuthAccessToken for logout
+	// nolint:gocritic // We only can get user link by user ID and login type with the system auth.
+	link, err := api.Database.GetUserLinkByUserIDLoginType(dbauthz.AsSystemRestricted(ctx),
+		database.GetUserLinkByUserIDLoginTypeParams{
+			UserID:    user.ID,
+			LoginType: user.LoginType,
+		})
+	if err != nil {
+		api.Logger.Error(ctx, "failed to retrieve OIDC user link", "error", err)
+		if xerrors.Is(err, sql.ErrNoRows) {
+			httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
+				Message: "No OIDC link found for this user.",
+			})
+		} else {
+			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to retrieve user authentication data.",
+			})
+		}
+		return
+	}
+
+	rawIDToken := link.OAuthAccessToken
+
+	// Retrieve OIDC environment variables
+	dvOIDC := api.DeploymentValues.OIDC
+	oidcEndpoint := dvOIDC.LogoutEndpoint.Value()
+	oidcClientID := dvOIDC.ClientID.Value()
+	logoutURI := dvOIDC.LogoutRedirectURI.Value()
+
+	if oidcEndpoint == "" {
+		api.Logger.Error(ctx, "missing OIDC logout endpoint")
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "OIDC configuration is missing.",
+		})
+		return
+	}
+
+	// Construct OIDC Logout URL
+	logoutURL, err := url.Parse(oidcEndpoint)
+	if err != nil {
+		api.Logger.Error(ctx, "failed to parse OIDC endpoint", "error", err)
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Invalid OIDC endpoint.",
+		})
+		return
+	}
+
+	// Build parameters
+	q := url.Values{}
+
+	if oidcClientID != "" {
+		q.Set("client_id", oidcClientID)
+	}
+	if rawIDToken != "" {
+		q.Set("id_token_hint", rawIDToken)
+	}
+	if logoutURI != "" {
+		q.Set("logout_uri", logoutURI)
+	}
+
+	logoutURL.RawQuery = q.Encode()
+
+	// Return full logout URL
+	response := map[string]string{"oidc_logout_url": logoutURL.String()}
+	httpapi.Write(ctx, rw, http.StatusOK, response)
+}
+
 // GithubOAuth2Team represents a team scoped to an organization.
 type GithubOAuth2Team struct {
 	Organization string
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -555,6 +555,8 @@ type OIDCConfig struct {
 	IconURL                   serpent.URL                            `json:"icon_url" typescript:",notnull"`
 	SignupsDisabledText       serpent.String                         `json:"signups_disabled_text" typescript:",notnull"`
 	SkipIssuerChecks          serpent.Bool                           `json:"skip_issuer_checks" typescript:",notnull"`
+	LogoutEndpoint            serpent.String                         `json:"logout_endpoint" typescript:",notnull"`
+	LogoutRedirectURI         serpent.String                         `json:"logout_redirect_uri" typescript:",notnull"`
 }
 
 type TelemetryConfig struct {
@@ -1966,6 +1968,26 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 			Group: &deploymentGroupOIDC,
 			YAML:  "dangerousSkipIssuerChecks",
 		},
+		{
+			Name:        "OIDC logout endpoint",
+			Description: "OIDC endpoint for logout.",
+			Flag:        "logout-endpoint",
+			Env:         "CODER_OIDC_LOGOUT_ENDPOINT",
+			Default:     "",
+			Value:       &c.OIDC.LogoutEndpoint,
+			Group:       &deploymentGroupOIDC,
+			YAML:        "logoutEndpoint",
+		},
+		{
+			Name:        "OIDC logout redirect URI",
+			Description: "OIDC redirect URI after logout.",
+			Flag:        "logout-redirect-uri",
+			Env:         "CODER_OIDC_LOGOUT_URI",
+			Default:     "",
+			Value:       &c.OIDC.LogoutRedirectURI,
+			Group:       &deploymentGroupOIDC,
+			YAML:        "logoutRedirectURI",
+		},
 		// Telemetry settings
 		telemetryEnable,
 		{
diff --git a/site/src/api/api.ts b/site/src/api/api.ts
@@ -457,7 +457,26 @@ class ApiMethods {
 	};
 
 	logout = async (): Promise<void> => {
-		return this.axios.post("/api/v2/users/logout");
+    try {
+      // Fetch the stored ID token from the backend
+      const response = await this.axios.get("/api/v2/users/oidc-logout");
+
+      // Redirect to OIDC logout after Coder logout
+      if (response.data.oidc_logout_url) {
+        // Coder session logout
+        await this.axios.post("/api/v2/users/logout");
+
+        // OIDC logout
+        window.location.href = response.data.oidc_logout_url;
+      } else {
+        // Redirect normally if no token is available
+        console.warn("No ID token found, continuing logout without OIDC logout.");
+        return this.axios.post("/api/v2/users/logout");
+      }
+    } catch (error) {
+      console.error("Logout failed", error);
+      return this.axios.post("/api/v2/users/logout");
+    }
 	};
 
 	getAuthenticatedUser = async () => {
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
