Support for post_logout_redirect_uris in OIDC client registration #2984 (#2985)

Closes #2984
2022-07-25 01:56:33 -07:00 · 2022-07-25 01:56:33 -07:00 · 4178860896
commit 4178860896
parent 35a6384984
4 changed files with 32 additions and 1 deletions
--- a/public/resources/en/clients-help.json
+++ b/public/resources/en/clients-help.json
@ -12,7 +12,8 @@
  "oauthDeviceAuthorizationGrant": "This enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.",
  "oidcCibaGrant": "This enables support for OIDC CIBA Grant, which means that the user is authenticated via some external authentication device instead of the user's browser.",
  "rootURL": "Root URL appended to relative URLs",
-  "validRedirectURIs": "Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.",
+  "validRedirectURIs": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.",
+  "validPostLogoutRedirectURIs": "Valid URI pattern a browser can redirect to after a successful logout. A value of '+' will use the list of valid redirect uris. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.",
  "nameIdFormat": "The name ID format to use for the subject.",
  "alwaysDisplayInConsole": "Always list this client in the Account Console, even if the user does not have an active session.",
  "forceNameIdFormat": "Ignore requested NameID subject format and use admin console configured one.",
--- a/public/resources/en/clients.json
+++ b/public/resources/en/clients.json
@ -340,6 +340,7 @@
  "accessSettings": "Access settings",
  "rootUrl": "Root URL",
  "validRedirectUri": "Valid redirect URIs",
+  "validPostLogoutRedirectUri": "Valid post logout redirect URIs",
  "idpInitiatedSsoUrlName": "IDP-Initiated SSO URL name",
  "idpInitiatedSsoUrlNameHelp": "Target IDP initiated SSO URL: {{url}}",
  "idpInitiatedSsoRelayState": "IDP Initiated SSO Relay State",
@ -358,6 +359,7 @@
  "signatureKeyName": "SAML signature key name",
  "canonicalization": "Canonicalization method",
  "addRedirectUri": "Add valid redirect URIs",
+  "addPostLogoutRedirectUri": "Add valid post logout redirect URIs",
  "loginTheme": "Login theme",
  "consentRequired": "Consent required",
  "clientAuthenticator": "Client Authenticator",
--- a/src/clients/ClientDetails.tsx
+++ b/src/clients/ClientDetails.tsx
@ -254,6 +254,12 @@ export default function ClientDetails() {
        stringToMultiline(client.attributes["default.acr.values"])
      );
    }
+    if (client.attributes?.["post.logout.redirect.uris"]) {
+      form.setValue(
+        "attributes.post.logout.redirect.uris",
+        stringToMultiline(client.attributes["post.logout.redirect.uris"])
+      );
+    }
    Object.entries(client.attributes || {})
      .filter(([key]) => key.startsWith("saml.server.signature"))
      .map(([key, value]) =>
@ -303,6 +309,12 @@ export default function ClientDetails() {
        );
      }

+      if (values.attributes?.post.logout.redirect.uris) {
+        values.attributes["post.logout.redirect.uris"] = toStringValue(
+          values.attributes.post.logout.redirect.uris
+        );
+      }
+
      const submittedClient =
        convertFormValuesToObject<ClientRepresentation>(values);

--- a/src/clients/add/AccessSettings.tsx
+++ b/src/clients/add/AccessSettings.tsx
@ -89,6 +89,22 @@ export const AccessSettings = ({
              addButtonLabel="clients:addRedirectUri"
            />
          </FormGroup>
+          <FormGroup
+            label={t("validPostLogoutRedirectUri")}
+            fieldId="kc-postLogoutRedirect"
+            labelIcon={
+              <HelpItem
+                helpText="clients-help:validPostLogoutRedirectURIs"
+                fieldLabelId="clients:validPostLogoutRedirectUri"
+              />
+            }
+          >
+            <MultiLineInput
+              name="attributes.post.logout.redirect.uris"
+              aria-label={t("validPostLogoutRedirectUri")}
+              addButtonLabel="clients:addPostLogoutRedirectUri"
+            />
+          </FormGroup>
          {protocol === "saml" && (
            <>
              <FormGroup