vikunja/pkg/routes/api/v2
kolaente 970f3c3733 fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri
On OIDC logout Vikunja redirected to the configured `logouturl` with no query
parameters, so it never sent `id_token_hint` or `post_logout_redirect_uri`.
RP-Initiated-Logout-compliant providers (e.g. PocketID) then ignored the
post-logout redirect and left the user on the IdP's own login page.

This builds the end-session URL server-side from the OpenID Connect
RP-Initiated Logout 1.0 spec:

- id_token_hint (§2, RECOMMENDED): the ID token previously issued to the
  session. It lets the OP skip the logout-confirmation prompt and is what makes
  the OP honor post_logout_redirect_uri (the OP MAY require it, §3).
- post_logout_redirect_uri (§2, OPTIONAL): where the OP redirects after logout.
  MUST be pre-registered with the OP. Defaults to service.publicurl so the user
  lands back on Vikunja.
- client_id (§2, OPTIONAL): the RP client id; the OP verifies it matches the
  id_token_hint.

The end_session_endpoint is discovered from the provider's discovery document
(§2.1, REQUIRED metadata) and falls back to the static `logouturl` config when
the provider does not publish one.

To replay id_token_hint, the raw ID token (and the provider key) are persisted
on the session at the OIDC callback (new migration adds oidc_id_token /
oidc_provider_key columns to the sessions table). At logout the server reads
them, builds the URL, deletes the session, and returns the URL in the logout
response so the frontend redirects to it.

Security note: the raw ID token is stored at rest in the sessions table
(json:"-", never exposed over the API) and removed when the session is deleted
on logout.

Spec: OpenID Connect RP-Initiated Logout 1.0
https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Fixes #2820
2026-06-19 16:06:26 +02:00
..
scalar feat(api-v2): vendor scalar api docs bundle 2026-05-31 15:23:32 +02:00
admin_projects.go feat(api/v2): add admin actions on /api/v2 2026-06-11 19:32:42 +00:00
admin_users.go chore(lint): suppress contextcheck on OIDC provider init call sites 2026-06-12 08:56:08 +00:00
api_tokens.go feat(api/v2): add API token list/create/delete on /api/v2 2026-06-05 08:49:23 +00:00
auth_login.go fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri 2026-06-19 16:06:26 +02:00
auth_openid.go fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri 2026-06-19 16:06:26 +02:00
auth_public.go fix: dispatch pending events after user creation commits 2026-06-12 08:56:08 +00:00
auth_refresh.go feat(api/v2): port refresh-token endpoint to /api/v2 2026-06-17 20:34:38 +00:00
avatar.go docs(api/v2): keep registrar godoc attached; clarify registry concurrency + ordering 2026-06-03 13:14:13 +00:00
avatar_upload.go docs(api/v2): keep registrar godoc attached; clarify registry concurrency + ordering 2026-06-03 13:14:13 +00:00
backgrounds.go feat(api/v2): add project background download and unsplash proxies 2026-06-17 11:31:50 +00:00
bot_users.go feat(api/v2): add bot user CRUD on /api/v2 2026-06-05 08:51:39 +00:00
bulk_task.go feat(api/v2): add bulk task updates on /api/v2 2026-06-09 20:13:02 +00:00
caldav_tokens.go feat(api/v2): add CalDAV tokens on /api/v2 2026-06-10 17:55:52 +00:00
docs.go feat(api/v2): serve Scalar docs UI at /api/v2/docs 2026-05-31 12:56:57 +00:00
errors.go feat(api/v2): port refresh-token endpoint to /api/v2 2026-06-17 20:34:38 +00:00
errors_test.go fix(api/v2): don't leak internal error detail in 5xx responses 2026-05-31 12:56:57 +00:00
health.go feat(api/v2): expose healthcheck as a documented endpoint 2026-06-17 20:35:28 +00:00
huma.go feat(api/v2): expose notifications atom feed in the OpenAPI spec 2026-06-17 20:35:28 +00:00
info.go chore(lint): suppress contextcheck on OIDC provider init call sites 2026-06-12 08:56:08 +00:00
label_task_bulk.go feat(api/v2): add bulk label replacement on /api/v2 2026-06-10 11:56:05 +02:00
label_tasks.go feat(api/v2): add task labels (create/list/delete) on /api/v2 2026-06-05 08:33:47 +00:00
labels.go feat(api/v2): report max_permission on label and project-view reads 2026-06-04 21:16:51 +00:00
link_sharing.go feat(api/v2): add link sharing (create/read/list/delete) 2026-06-05 09:17:25 +00:00
migration_csv.go feat(api/v2): add the generic CSV importer on /api/v2 2026-06-12 08:51:19 +00:00
migration_file.go feat(api/v2): add file migrators (vikunja-file, ticktick, wekan) on /api/v2 2026-06-12 08:51:19 +00:00
migration_oauth.go feat(api/v2): port OAuth migrators (Todoist, Trello, Microsoft To-Do) 2026-06-11 18:35:55 +00:00
notifications.go fix(api/v2): return 200 from notifications mark-all (creates nothing) 2026-06-07 10:05:24 +00:00
notifications_feed.go feat(api/v2): expose notifications atom feed in the OpenAPI spec 2026-06-17 20:35:28 +00:00
oauth.go feat(api/v2): add login and logout on /api/v2 2026-06-17 19:43:41 +00:00
project_duplicate.go feat(projects): make duplicating shares opt-in (#2932) 2026-06-19 10:15:58 +02:00
project_teams.go feat(api/v2): add project team shares CRUD on /api/v2 2026-06-07 15:33:20 +00:00
project_users.go feat(api/v2): add project user shares CRUD on /api/v2 2026-06-07 10:37:59 +00:00
project_views.go feat(api/v2): report max_permission on label and project-view reads 2026-06-04 21:16:51 +00:00
projects.go refactor(api/v2): align project max_permission to the shared embed pattern 2026-06-05 07:40:07 +00:00
reactions.go feat(api/v2): add reactions on /api/v2 2026-06-09 21:34:22 +00:00
registry.go docs(api/v2): keep registrar godoc attached; clarify registry concurrency + ordering 2026-06-03 13:14:13 +00:00
saved_filters.go feat(api/v2): add saved filter CRUD on /api/v2 2026-06-07 10:40:20 +00:00
sessions.go feat(api/v2): add session list/delete on /api/v2 2026-06-05 08:21:48 +00:00
subscriptions.go docs: trim wordy comments to load-bearing whys 2026-06-07 09:57:51 +00:00
task_assignees.go feat(api/v2): add task assignees (create/list/delete) on /api/v2 2026-06-06 19:06:12 +00:00
task_assignees_bulk.go feat(api/v2): add bulk assignee replacement on /api/v2 2026-06-09 19:42:16 +00:00
task_attachments.go feat(api/v2): add task attachments on /api/v2 2026-06-10 10:22:39 +00:00
task_bucket.go feat(api/v2): add kanban task-bucket moves on /api/v2 2026-06-09 20:01:20 +00:00
task_collection.go refactor(api/v2): dedup task collection query params via exported embed 2026-06-11 18:31:03 +00:00
task_comments.go feat(api/v2): report max_permission on task comment reads 2026-06-05 07:43:38 +00:00
task_duplicate.go docs(api/v2): keep registrar godoc attached; clarify registry concurrency + ordering 2026-06-03 13:14:13 +00:00
task_position.go feat(api/v2): add task position updates on /api/v2 2026-06-10 11:55:51 +02:00
task_relations.go feat(api/v2): add task relations on /api/v2 2026-06-09 20:42:00 +00:00
task_unread_status.go feat(api/v2): add task read-status marking on /api/v2 2026-06-09 19:50:58 +00:00
tasks.go fix(api/v2): return ErrProjectDoesNotExist for unknown project identifiers 2026-06-10 10:12:09 +00:00
team_members.go feat(api/v2): add team members (add/remove/admin-toggle) on /api/v2 2026-06-07 10:48:23 +00:00
teams.go feat(api/v2): report max_permission on team reads 2026-06-05 08:06:54 +00:00
testing.go feat(api/v2): add e2e testing-support endpoints on /api/v2 2026-06-17 12:13:50 +00:00
time_entries.go refactor(events): pass context to DispatchPending directly 2026-06-12 08:56:08 +00:00
token_meta.go feat(api/v2): add token-check, token-routes and link-share renew endpoints 2026-06-12 07:58:17 +00:00
types.go feat(api/v2): add shared conditional read helper and document list params 2026-06-04 21:16:51 +00:00
user_deletion.go feat(api/v2): add user account-deletion flow on /api/v2 2026-06-10 19:15:05 +00:00
user_export.go fix(api/v2): close export reader when commit fails before streaming 2026-06-17 18:39:38 +00:00
user_search.go refactor(user): share user-search logic between v1 and v2 2026-06-11 20:07:43 +00:00
user_settings.go feat(audit): attribute failed logins to the originating request 2026-06-12 08:56:08 +00:00
user_totp.go feat(api/v2): add totp qr code endpoint 2026-06-17 18:39:38 +00:00
user_webhooks.go feat(api/v2): add user webhooks on /api/v2 2026-06-10 19:12:41 +00:00
validation.go feat(api/v2): enforce validation centrally in the Register wrapper 2026-06-06 21:09:56 +00:00
webhook_events.go feat(api/v2): add available webhook events endpoint 2026-06-11 20:07:43 +00:00
webhooks.go refactor(webhooks): mask write-only credentials in the model so create/update never echo them 2026-06-06 19:50:41 +00:00