redirect_url for logout

[ghost]

I'm using caddy-security to provide auth to a few webapps that are behind reverse_proxy.
Some of these custom apps are basic static files that want to have a simple logout url.
After logout they want to redirect to their own custom logout page.

If I'm not missing something perhaps a feature like this would be nice:

https://caddy-security-portal.hostname/logout?redirect_url=<custom>

[greenpau]

@s8weber-uw , added the feature to https://github.com/greenpau/go-authcrunch/releases/tag/v1.0.49 and will be adding directives to caddy-security shortly.

[greenpau]

@s8weber-uw , this is not available with https://github.com/greenpau/caddy-security/releases/tag/v1.1.26

The documentation for the feature is here: https://docs.authcrunch.com/docs/authenticate/misc#logout

Please test.

[steverweber]

im not having much luck. Perhaps something simple I'm overlooking.

FROM caddy:2.7-builder AS builder
RUN xcaddy build --with github.com/greenpau/[email protected]
FROM caddy:2.7
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

caddy file

{
  security {
    oauth identity provider generic {
      realm generic
      driver generic
      client_id {env.CLIENT_ID}
      client_secret {env.CLIENT_SECRET}
      base_auth_url {env.BASE_AUTH_URL}
      metadata_url {env.METADATA_URL}
      # CALLBACK=/oauth2/generic/authorization-code-callback
      enable logout
    }
    authentication portal portal1 {
      enable identity provider generic
      crypto default token lifetime 3600
      #crypto key sign-verify {env.JWT_SHARED_KEY}
      transform user {
        match realm generic
        action add role authp/generic-user
      }
      trust logout redirect uri domain regex ".*" path regex ".*"
      trust logout redirect uri domain localhost path prefix "/"
    }
    authorization policy policy-generic-user {
      # change from the portal auth select screen directly to an auth provider
      set auth url http://localhost:80/oauth2/generic
      enable js redirect
      #crypto key verify {env.JWT_SHARED_KEY}
      validate bearer header
      allow roles authp/generic-user
    }
  }
}

# this is the auth portal
http://localhost:80 {
  route {
    authenticate with portal1
  }
}

# this is a website
http://localhost:8000 {
  route {
    respond /endsession "please close your browser"  
    authorize with policy-generic-user
    header Content-Type text/html
    respond / <<EOF
    <html>
      <a href="http://localhost:80/logout?redirect_uri=http://localhost:8000/endsession">auth/logout | </a>
      <a href="http://localhost:80/oauth2/generic/logout?redirect_uri=http://localhost:8000/endsession">auth/oauth2/generic/logout |</a>
     </html>
      EOF 200
}

[greenpau]

im not having much luck. Perhaps something simple I'm overlooking.

@steverweber , I think this is because this feature works with non-OAuth 2.0 endpoint.

I did not see the config before. Now, I get it. My misunderstanding.

Here, you want to redirect a user from OAuth logout endpoint /oauth2/generic/logout to some other URL.

Let me do some magic and it will be available in the next release.

[greenpau]

@steverweber , please test with https://github.com/greenpau/caddy-security/releases/tag/v1.1.27

I tested and it should work. Added extra clarification here: https://docs.authcrunch.com/docs/authenticate/misc#external-endpoint-logout

[steverweber]

note updated the above example caddyfile a little...
using 1.1.27: http://localhost:80/oauth2/generic/logout?redirect_uri=... seems to do a redirect so that's neat however it did not remove the auth cookie. http://localhost:80/logout?redirect_uri=https://localhost:8000/endsession seems to ignore the redirect_uri.

i'll take another look at this next week. never the less THANKS!

[thebirches]

Hi, can you confirm is out of the box when using two providers (azure and google) that the /logout call should invalidate the token and redirect to /login ? October 2024 caddy 2.8.4

` security {

	oauth identity provider azure {
		realm azure
		driver azure
		client_id {env.AZURE_CLIENT_ID}
		client_secret {env.AZURE_CLIENT_SECRET}
		scopes openid email profile offline_access
		tenant_id {env.AZURE_TENANT_ID}
		enable id_token_cookie azure_token
	}

	oauth identity provider google {
		realm google
		driver google
		client_id {env.GOOGLE_CLIENT_ID}
		client_secret {env.GOOGLE_CLIENT_SECRET}
		scopes openid email profile
		enable id_token_cookie google_token
	}
	
    authentication portal mfportal {

		ui {
			theme basic
			template login ./html-explore/caddy/ui/login.template
		}
	
        crypto default token lifetime 3600
        enable identity provider azure
		enable identity provider google
        cookie path /
		
		transform user {
			match origin local
			action add role authp/user
		}

        transform user {
            match realm azure
            action add role authp/user
        }
		
		transform user {
            match realm google
            action add role authp/user
        }
    }

    authorization policy mfpolicy {
        allow roles authp/admin authp/user
        validate bearer header
        inject headers with claims
		enable js redirect
    }
}

}`