vikunja/pkg/routes
kolaente 970f3c3733 fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri
On OIDC logout Vikunja redirected to the configured `logouturl` with no query
parameters, so it never sent `id_token_hint` or `post_logout_redirect_uri`.
RP-Initiated-Logout-compliant providers (e.g. PocketID) then ignored the
post-logout redirect and left the user on the IdP's own login page.

This builds the end-session URL server-side from the OpenID Connect
RP-Initiated Logout 1.0 spec:

- id_token_hint (§2, RECOMMENDED): the ID token previously issued to the
  session. It lets the OP skip the logout-confirmation prompt and is what makes
  the OP honor post_logout_redirect_uri (the OP MAY require it, §3).
- post_logout_redirect_uri (§2, OPTIONAL): where the OP redirects after logout.
  MUST be pre-registered with the OP. Defaults to service.publicurl so the user
  lands back on Vikunja.
- client_id (§2, OPTIONAL): the RP client id; the OP verifies it matches the
  id_token_hint.

The end_session_endpoint is discovered from the provider's discovery document
(§2.1, REQUIRED metadata) and falls back to the static `logouturl` config when
the provider does not publish one.

To replay id_token_hint, the raw ID token (and the provider key) are persisted
on the session at the OIDC callback (new migration adds oidc_id_token /
oidc_provider_key columns to the sessions table). At logout the server reads
them, builds the URL, deletes the session, and returns the URL in the logout
response so the frontend redirects to it.

Security note: the raw ID token is stored at rest in the sessions table
(json:"-", never exposed over the API) and removed when the session is deleted
on logout.

Spec: OpenID Connect RP-Initiated Logout 1.0
https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Fixes #2820
2026-06-19 16:06:26 +02:00
..
api fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri 2026-06-19 16:06:26 +02:00
caldav feat(audit): attribute failed logins to the originating request 2026-06-12 08:56:08 +00:00
feeds refactor(feeds): extract atom feed builder + basic-auth validator for reuse 2026-06-17 20:35:28 +00:00
middleware fix(routes): generate request IDs at the start of the middleware chain 2026-06-12 08:56:08 +00:00
admin_gate.go feat(middleware): add RequireFeature and RequireSiteAdmin 404 gates 2026-04-20 18:55:06 +00:00
api_tokens.go feat(events): add auth boundary events 2026-06-12 08:56:08 +00:00
error_handler.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
feature_gate.go feat(middleware): add RequireFeature and RequireSiteAdmin 404 gates 2026-04-20 18:55:06 +00:00
healthcheck.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
metrics.go refactor(metrics): count entities on demand with a TTL cache 2026-05-30 13:48:01 +00:00
rate_limit.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
resolve_project.go fix(api): uppercase project identifier before by-index lookup 2026-05-19 08:53:25 +00:00
routes.go feat(api/v2): expose websocket endpoint under /api/v2 2026-06-17 20:35:28 +00:00
sentry_middleware.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
static.go fix: respect allow_icon_changes config on web and desktop 2026-06-01 09:40:37 +00:00
validation.go fix(attachments): extend upload file size to form data (#1577) 2025-09-30 22:23:07 +00:00