From 9918ec6246f8f6e20fd13389155b44ae51b33758 Mon Sep 17 00:00:00 2001 From: Zaiban Ali Date: Sat, 7 Dec 2024 15:13:13 +0100 Subject: [PATCH] feat: update signout functionality to use OpenID configuration for logout URL and remove the logout variable from config --- .../open_webui/apps/webui/routers/auths.py | 28 +++++++++++++------ backend/open_webui/config.py | 6 ---- backend/open_webui/utils/oauth.py | 2 +- 3 files changed, 20 insertions(+), 16 deletions(-) diff --git a/backend/open_webui/apps/webui/routers/auths.py b/backend/open_webui/apps/webui/routers/auths.py index 509ad7483..622e118b2 100644 --- a/backend/open_webui/apps/webui/routers/auths.py +++ b/backend/open_webui/apps/webui/routers/auths.py @@ -3,6 +3,7 @@ import uuid import time import datetime import logging +import httpx from open_webui.apps.webui.models.auths import ( AddUserForm, @@ -31,8 +32,7 @@ from open_webui.env import ( from fastapi import APIRouter, Depends, HTTPException, Request, status from fastapi.responses import RedirectResponse, Response from open_webui.config import ( - OAUTH_PROVIDER_NAME, - OAUTH_LOGOUT_URL, + OPENID_PROVIDER_URL, ) from pydantic import BaseModel from open_webui.utils.misc import parse_duration, validate_email_format @@ -504,13 +504,23 @@ async def signup(request: Request, response: Response, form_data: SignupForm): @router.get("/signout") async def signout(request: Request, response: Response): response.delete_cookie("token") - - if OAUTH_PROVIDER_NAME.value == "keycloak" and OAUTH_LOGOUT_URL: - id_token = request.cookies.get("id_token", None) - if id_token: - logout_url = f"{OAUTH_LOGOUT_URL}?id_token_hint={id_token}" - response.delete_cookie("id_token") - return RedirectResponse(url=logout_url) + + id_token = request.cookies.get("id_token", None) + if id_token: + async with httpx.AsyncClient() as client: + try: + openid_config = await client.get(OPENID_PROVIDER_URL.value) + openid_config.raise_for_status() + openid_data = openid_config.json() + end_session_endpoint = openid_data.get("end_session_endpoint") + if end_session_endpoint: + logout_url = f"{end_session_endpoint}?id_token_hint={id_token}" + response.delete_cookie("id_token") + return RedirectResponse(url=logout_url) + except httpx.HTTPStatusError as e: + raise HTTPException(status_code=e.response.status_code, detail="Failed to fetch OpenID configuration") + except Exception as e: + raise HTTPException(status_code=500, detail=str(e)) # Fall back to the default signout return {"status": True} diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index 17acc2e02..15d209941 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -384,12 +384,6 @@ OAUTH_PROVIDER_NAME = PersistentConfig( os.environ.get("OAUTH_PROVIDER_NAME", "SSO"), ) -OAUTH_LOGOUT_URL = PersistentConfig( - "OAUTH_LOGOUT_URL", - "oauth.oidc.logout_url", - os.environ.get("OAUTH_LOGOUT_URL", ""), -) - OAUTH_USERNAME_CLAIM = PersistentConfig( "OAUTH_USERNAME_CLAIM", "oauth.oidc.username_claim", diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py index 9030a026b..3c2e3a90c 100644 --- a/backend/open_webui/utils/oauth.py +++ b/backend/open_webui/utils/oauth.py @@ -254,7 +254,7 @@ class OAuthManager: secure=WEBUI_SESSION_COOKIE_SECURE, ) - if OAUTH_PROVIDER_NAME.value == "keycloak": + if OAUTH_PROVIDER_NAME.value: id_token = token.get("id_token") response.set_cookie( key="id_token",