photoprism/internal/auth/oidc/logout_test.go
Michael Mayer 50976f427e Auth: Add RP-initiated OIDC logout via PHOTOPRISM_OIDC_LOGOUT #5684 #5433
Sign-out of an OIDC session redirects the browser to the provider's
discovered end_session_endpoint (id_token_hint + absolute
post_logout_redirect_uri) when PHOTOPRISM_OIDC_LOGOUT is enabled, so the
provider SSO session ends and the next login re-prompts. Opt-in (default
off); local/LDAP logout and providers without an end-session endpoint fall
back to local logout.

Adds the shared CE /api/v1/oauth/logout route and OAuthLogoutHandler hook
plus the Portal OP end_session_endpoint advertised in the Portal discovery
document, for Portal builds to serve via the override hook.
2026-06-24 17:21:00 +02:00

74 lines
2.4 KiB
Go

package oidc
import (
"net/url"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/zitadel/oidc/v3/pkg/client/rp"
"golang.org/x/oauth2"
)
// fakeRelyingParty implements only the rp.RelyingParty methods EndSessionURL reads; any
// other call panics on the nil embedded interface, which keeps the fake honest.
type fakeRelyingParty struct {
rp.RelyingParty
endSession string
clientID string
}
func (f fakeRelyingParty) GetEndSessionEndpoint() string { return f.endSession }
func (f fakeRelyingParty) OAuthConfig() *oauth2.Config { return &oauth2.Config{ClientID: f.clientID} }
func TestClient_EndSessionURL(t *testing.T) {
t.Run("Success", func(t *testing.T) {
c := &Client{RelyingParty: fakeRelyingParty{
endSession: "https://provider.example/logout",
clientID: "client-abc",
}}
result, err := c.EndSessionURL("id-token-123", "https://app.localssl.dev/library/login", "state-xyz")
require.NoError(t, err)
u, err := url.Parse(result)
require.NoError(t, err)
assert.Equal(t, "https://provider.example/logout", u.Scheme+"://"+u.Host+u.Path)
q := u.Query()
assert.Equal(t, "id-token-123", q.Get("id_token_hint"))
assert.Equal(t, "client-abc", q.Get("client_id"))
assert.Equal(t, "https://app.localssl.dev/library/login", q.Get("post_logout_redirect_uri"))
assert.Equal(t, "state-xyz", q.Get("state"))
})
t.Run("NoEndSessionEndpoint", func(t *testing.T) {
c := &Client{RelyingParty: fakeRelyingParty{endSession: "", clientID: "client-abc"}}
result, err := c.EndSessionURL("id-token-123", "https://app.localssl.dev/library/login", "")
require.NoError(t, err)
assert.Equal(t, "", result)
})
t.Run("PreservesExistingQuery", func(t *testing.T) {
c := &Client{RelyingParty: fakeRelyingParty{
endSession: "https://provider.example/logout?realm=master",
clientID: "client-abc",
}}
result, err := c.EndSessionURL("id-token-123", "", "")
require.NoError(t, err)
u, err := url.Parse(result)
require.NoError(t, err)
q := u.Query()
assert.Equal(t, "master", q.Get("realm"))
assert.Equal(t, "id-token-123", q.Get("id_token_hint"))
assert.Equal(t, "", q.Get("post_logout_redirect_uri"))
assert.Equal(t, "", q.Get("state"))
})
t.Run("InvalidEndpoint", func(t *testing.T) {
c := &Client{RelyingParty: fakeRelyingParty{endSession: "://not a url", clientID: "client-abc"}}
_, err := c.EndSessionURL("id-token-123", "", "")
assert.Error(t, err)
})
}