photoprism/internal/api/oauth_logout.go
Michael Mayer 50976f427e Auth: Add RP-initiated OIDC logout via PHOTOPRISM_OIDC_LOGOUT #5684 #5433
Sign-out of an OIDC session redirects the browser to the provider's
discovered end_session_endpoint (id_token_hint + absolute
post_logout_redirect_uri) when PHOTOPRISM_OIDC_LOGOUT is enabled, so the
provider SSO session ends and the next login re-prompts. Opt-in (default
off); local/LDAP logout and providers without an end-session endpoint fall
back to local logout.

Adds the shared CE /api/v1/oauth/logout route and OAuthLogoutHandler hook
plus the Portal OP end_session_endpoint advertised in the Portal discovery
document, for Portal builds to serve via the override hook.
2026-06-24 17:21:00 +02:00

64 lines
2.1 KiB
Go

package api
import (
"net/http"
"github.com/gin-gonic/gin"
"github.com/photoprism/photoprism/internal/event"
"github.com/photoprism/photoprism/internal/photoprism/get"
"github.com/photoprism/photoprism/pkg/authn"
"github.com/photoprism/photoprism/pkg/http/header"
"github.com/photoprism/photoprism/pkg/i18n"
)
// OAuthLogout registers the OAuth2/OIDC end-session endpoint for RP-initiated logout.
// The behavior is provided by OAuthLogoutHandler, which defaults to a placeholder and is
// replaced by Portal builds with the OIDC OP end-session handler (see oauth_handlers.go
// and portal/internal/server/register.go). Both GET and POST are registered per the
// OpenID Connect RP-Initiated Logout specification.
//
// @Summary OAuth2/OIDC end-session endpoint (RP-initiated logout)
// @Id OAuthLogout
// @Tags Authentication
// @Produce json
// @Success 302 {string} string "redirect to post_logout_redirect_uri"
// @Failure 403,405 {object} i18n.Response
// @Router /api/v1/oauth/logout [get]
// @Router /api/v1/oauth/logout [post]
func OAuthLogout(router *gin.RouterGroup) {
router.GET("/oauth/logout", func(c *gin.Context) {
OAuthLogoutHandler(c)
})
router.POST("/oauth/logout", func(c *gin.Context) {
OAuthLogoutHandler(c)
})
}
// defaultOAuthLogout is the placeholder end-session handler used unless a Portal build
// overrides OAuthLogoutHandler with the OIDC OP end-session handler.
func defaultOAuthLogout(c *gin.Context) {
// Prevent CDNs from caching this endpoint.
if header.IsCdn(c.Request) {
AbortNotFound(c)
return
}
// Disable caching of responses.
c.Header(header.CacheControl, header.CacheControlNoStore)
// Get client IP address for logs and rate limiting checks.
clientIp := ClientIP(c)
actor := "unknown client"
action := "logout"
// Abort if running in public mode.
if get.Config().Public() {
event.AuditErr([]string{clientIp, "oauth2", actor, action, authn.ErrDisabledInPublicMode.Error()})
Abort(c, http.StatusForbidden, i18n.ErrForbidden)
return
}
// The OIDC OP end-session endpoint is only available on Portal builds.
c.JSON(http.StatusMethodNotAllowed, gin.H{"status": StatusFailed})
}