feat: update signout functionality to use OpenID configuration for logout URL and remove the logout variable from config

2024-12-28 06:42:47 +00:00 · 2024-12-07 15:13:13 +01:00 · 2024-12-07 15:13:13 +01:00 · 9918ec6246
commit 9918ec6246
parent d5ce85f34a
3 changed files with 20 additions and 16 deletions
--- a/backend/open_webui/apps/webui/routers/auths.py
+++ b/backend/open_webui/apps/webui/routers/auths.py
@ -3,6 +3,7 @@ import uuid
 import time
 import datetime
 import logging
+import httpx

 from open_webui.apps.webui.models.auths import (
    AddUserForm,
@ -31,8 +32,7 @@ from open_webui.env import (
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import RedirectResponse, Response
 from open_webui.config import (
-    OAUTH_PROVIDER_NAME,
-    OAUTH_LOGOUT_URL,
+    OPENID_PROVIDER_URL,
 )
 from pydantic import BaseModel
 from open_webui.utils.misc import parse_duration, validate_email_format
@ -504,13 +504,23 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
@router.get("/signout")
 async def signout(request: Request, response: Response):
    response.delete_cookie("token")
-    
-    if OAUTH_PROVIDER_NAME.value == "keycloak" and OAUTH_LOGOUT_URL:
-        id_token = request.cookies.get("id_token", None)
-        if id_token:
-            logout_url = f"{OAUTH_LOGOUT_URL}?id_token_hint={id_token}"
-            response.delete_cookie("id_token")
-            return RedirectResponse(url=logout_url)
+
+    id_token = request.cookies.get("id_token", None)
+    if id_token:
+        async with httpx.AsyncClient() as client:
+            try:
+                openid_config = await client.get(OPENID_PROVIDER_URL.value)
+                openid_config.raise_for_status()
+                openid_data = openid_config.json()
+                end_session_endpoint = openid_data.get("end_session_endpoint")
+                if end_session_endpoint:
+                    logout_url = f"{end_session_endpoint}?id_token_hint={id_token}"
+                    response.delete_cookie("id_token")
+                    return RedirectResponse(url=logout_url)
+            except httpx.HTTPStatusError as e:
+                raise HTTPException(status_code=e.response.status_code, detail="Failed to fetch OpenID configuration")
+            except Exception as e:
+                raise HTTPException(status_code=500, detail=str(e))

    # Fall back to the default signout
    return {"status": True}
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -384,12 +384,6 @@ OAUTH_PROVIDER_NAME = PersistentConfig(
    os.environ.get("OAUTH_PROVIDER_NAME", "SSO"),
 )

-OAUTH_LOGOUT_URL = PersistentConfig(
-    "OAUTH_LOGOUT_URL",
-    "oauth.oidc.logout_url",
-    os.environ.get("OAUTH_LOGOUT_URL", ""),
-)
-
 OAUTH_USERNAME_CLAIM = PersistentConfig(
    "OAUTH_USERNAME_CLAIM",
    "oauth.oidc.username_claim",
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -254,7 +254,7 @@ class OAuthManager:
            secure=WEBUI_SESSION_COOKIE_SECURE,
        )
        
-        if OAUTH_PROVIDER_NAME.value == "keycloak":
+        if OAUTH_PROVIDER_NAME.value:
            id_token = token.get("id_token")
            response.set_cookie(
                key="id_token",