cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

Full OIDC logout with id_token_hint for provider session termination
Some checks failed
CI / build (push) Successful in 1m10s
Details
CI / docker (push) Successful in 48s
Details
CI / deploy (push) Has been cancelled
Details

Browse Source 
Return the OIDC id_token in the callback response so the frontend can
store it and pass it as id_token_hint to the provider's end-session
endpoint on logout. This lets Authentik (or any OIDC provider) honor
the post_logout_redirect_uri and redirect back to the Cameleer login
page instead of showing the provider's own logout page.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-03-14 16:14:07 +01:00
parent 463cab1196
commit a6f94e8a70
7 changed files with 23 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cameleer3-server-app/src/main/java/com/cameleer3/server/app/dto/AuthTokenResponse.java
View File

@@ -7,5 +7,7 @@ import jakarta.validation.constraints.NotNull;
public record AuthTokenResponse(
@NotNull String accessToken,
@NotNull String refreshToken,
@NotNull String displayName
@NotNull String displayName,
@Schema(description = "OIDC id_token for end-session logout (only present after OIDC login)")
String idToken
) {}

2
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
View File

@@ -132,7 +132,7 @@ public class OidcAuthController {
String displayName = oidcUser.name() != null && !oidcUser.name().isBlank()
? oidcUser.name() : oidcUser.email();
return ResponseEntity.ok(new AuthTokenResponse(accessToken, refreshToken, displayName));
return ResponseEntity.ok(new AuthTokenResponse(accessToken, refreshToken, displayName, oidcUser.idToken()));
} catch (ResponseStatusException e) {
throw e;
} catch (Exception e) {

4
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
View File

@@ -57,7 +57,7 @@ public class OidcTokenExchanger {
this.configRepository = configRepository;
}
public record OidcUserInfo(String subject, String email, String name, List<String> roles) {}
public record OidcUserInfo(String subject, String email, String name, List<String> roles, String idToken) {}
/**
* Exchanges an authorization code for validated user info.
@@ -100,7 +100,7 @@ public class OidcTokenExchanger {
List<String> roles = extractRoles(claims, config.rolesClaim());
log.info("OIDC user authenticated: sub={}, email={}", subject, email);
return new OidcUserInfo(subject, email != null ? email : "", name != null ? name : "", roles);
return new OidcUserInfo(subject, email != null ? email : "", name != null ? name : "", roles, idTokenStr);
}
/**

4
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/UiAuthController.java
View File

@@ -85,7 +85,7 @@ public class UiAuthController {
String refreshToken = jwtService.createRefreshToken(subject, "user", roles);
log.info("UI user logged in: {}", request.username());
return ResponseEntity.ok(new AuthTokenResponse(accessToken, refreshToken, request.username()));
return ResponseEntity.ok(new AuthTokenResponse(accessToken, refreshToken, request.username(), null));
}
@PostMapping("/refresh")
@@ -108,7 +108,7 @@ public class UiAuthController {
String displayName = userRepository.findById(result.subject())
.map(UserInfo::displayName)
.orElse(result.subject());
return ResponseEntity.ok(new AuthTokenResponse(accessToken, refreshToken, displayName));
return ResponseEntity.ok(new AuthTokenResponse(accessToken, refreshToken, displayName, null));
} catch (ResponseStatusException e) {
throw e;
} catch (Exception e) {

4
ui/src/api/openapi.json
View File

@@ -1602,6 +1602,10 @@
},
"displayName": {
"type": "string"
},
"idToken": {
"type": "string",
"description": "OIDC id_token for end-session logout (only present after OIDC login)"
}
},
"required": [

2
ui/src/api/schema.d.ts vendored
View File

@@ -595,6 +595,8 @@ export interface components {
accessToken: string;
refreshToken: string;
displayName: string;
/** @description OIDC id_token for end-session logout (only present after OIDC login) */
idToken?: string;
};
CallbackRequest: {
code?: string;

11
ui/src/auth/auth-store.ts
View File

@@ -66,6 +66,7 @@ export const useAuthStore = create<AuthState>((set, get) => ({
}
const { accessToken, refreshToken, displayName } = data;
localStorage.removeItem('cameleer-oidc-end-session');
localStorage.removeItem('cameleer-oidc-id-token');
const name = displayName ?? username;
persistTokens(accessToken, refreshToken, name);
set({
@@ -93,9 +94,12 @@ export const useAuthStore = create<AuthState>((set, get) => ({
if (error || !data) {
throw new Error('OIDC login failed');
}
const { accessToken, refreshToken, displayName } = data;
const { accessToken, refreshToken, displayName, idToken } = data;
const username = displayName ?? 'oidc-user';
persistTokens(accessToken, refreshToken, username);
if (idToken) {
localStorage.setItem('cameleer-oidc-id-token', idToken);
}
set({
accessToken,
refreshToken,
@@ -137,8 +141,10 @@ export const useAuthStore = create<AuthState>((set, get) => ({
logout: () => {
const endSessionEndpoint = localStorage.getItem('cameleer-oidc-end-session');
const idToken = localStorage.getItem('cameleer-oidc-id-token');
clearTokens();
localStorage.removeItem('cameleer-oidc-end-session');
localStorage.removeItem('cameleer-oidc-id-token');
set({
accessToken: null,
refreshToken: null,
@@ -147,9 +153,10 @@ export const useAuthStore = create<AuthState>((set, get) => ({
isAuthenticated: false,
error: null,
});
if (endSessionEndpoint) {
if (endSessionEndpoint && idToken) {
const postLogoutRedirect = `${window.location.origin}/login`;
const params = new URLSearchParams({
id_token_hint: idToken,
post_logout_redirect_uri: postLogoutRedirect,
});
window.location.href = `${endSessionEndpoint}?${params}`;