[v11.0.x] AuthN: Fix signout redirect url (#87681)

* AuthN: Fix signout redirect url (#87631) * Add missing return * Use sign out redirect url from auth config if configured * remove option from auth.jwt that is not used (cherry picked from commit 0f3080e) --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
grafana · May 13, 2024 · 277ef25 · 277ef25
1 parent c234358
commit 277ef25
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/conf/defaults.ini b/conf/defaults.ini
@@ -867,7 +867,6 @@ auto_sign_up = false
 url_login = false
 allow_assign_grafana_admin = false
 skip_org_role_sync = false
-signout_redirect_url =
 
 #################################### Auth LDAP ###########################
 [auth.ldap]

diff --git a/pkg/api/login.go b/pkg/api/login.go
@@ -261,6 +261,7 @@ func (hs *HTTPServer) Logout(c *contextmodel.ReqContext) {
 	if err != nil {
 		hs.log.Error("Failed perform proper logout", "error", err)
 		c.Redirect(hs.Cfg.AppSubURL + "/login")
+		return
 	}
 
 	_, id := c.SignedInUser.GetNamespacedID()

diff --git a/pkg/services/authn/authnimpl/service.go b/pkg/services/authn/authnimpl/service.go
@@ -347,6 +347,9 @@ func (s *Service) Logout(ctx context.Context, user identity.Requester, sessionTo
 	defer span.End()
 
 	redirect := &authn.Redirect{URL: s.cfg.AppSubURL + "/login"}
+	if s.cfg.SignoutRedirectUrl != "" {
+		redirect.URL = s.cfg.SignoutRedirectUrl
+	}
 
 	namespace, id := user.GetNamespacedID()
 	if namespace != authn.NamespaceUser {
@@ -384,7 +387,7 @@ func (s *Service) Logout(ctx context.Context, user identity.Requester, sessionTo
 	}
 
 Default:
-	if err = s.sessionService.RevokeToken(ctx, sessionToken, false); err != nil {
+	if err = s.sessionService.RevokeToken(ctx, sessionToken, false); err != nil && !errors.Is(err, auth.ErrUserTokenNotFound) {
 		return nil, err
 	}
 

diff --git a/pkg/services/authn/authnimpl/service_test.go b/pkg/services/authn/authnimpl/service_test.go
@@ -311,7 +311,8 @@ func TestService_Logout(t *testing.T) {
 		sessionToken *usertoken.UserToken
 		info         *login.UserAuth
 
-		client authn.Client
+		client             authn.Client
+		signoutRedirectURL string
 
 		expectedErr          error
 		expectedTokenRevoked bool
@@ -345,6 +346,14 @@ func TestService_Logout(t *testing.T) {
 			client:               &authntest.FakeClient{ExpectedName: "auth.client.azuread"},
 			expectedTokenRevoked: true,
 		},
+		{
+			desc:                 "should use signout redirect url if configured",
+			identity:             &authn.Identity{ID: authn.NamespacedID(authn.NamespaceUser, 1), AuthenticatedBy: "azuread"},
+			expectedRedirect:     &authn.Redirect{URL: "some-url"},
+			client:               &authntest.FakeClient{ExpectedName: "auth.client.azuread"},
+			signoutRedirectURL:   "some-url",
+			expectedTokenRevoked: true,
+		},
 		{
 			desc:             "should redirect to client specific url",
 			identity:         &authn.Identity{ID: authn.NamespacedID(authn.NamespaceUser, 1)},
@@ -381,6 +390,10 @@ func TestService_Logout(t *testing.T) {
 						return nil
 					},
 				}
+
+				if tt.signoutRedirectURL != "" {
+					svc.cfg.SignoutRedirectUrl = tt.signoutRedirectURL
+				}
 			})
 
 			redirect, err := s.Logout(context.Background(), tt.identity, tt.sessionToken)