Add optional provider-specific post_logout_uri setting

appinfo/info.xml

@@ -8,7 +8,7 @@
 	<name>OpenID Connect user backend</name>
 	<summary>Use an OpenID Connect backend to login to your Nextcloud</summary>
 	<description>Allows flexible configuration of an OIDC server as Nextcloud login user backend.</description>
-	<version>7.4.0</version>
+	<version>7.5.0</version>
 	<licence>agpl</licence>
 	<author>Roeland Jago Douma</author>
 	<author>Julius Härtl</author>

lib/Command/UpsertProvider.php

@@ -175,7 +175,8 @@ protected function configure() {
 			->addOption('clientid', 'c', InputOption::VALUE_REQUIRED, 'OpenID client identifier')
 			->addOption('clientsecret', 's', InputOption::VALUE_REQUIRED, 'OpenID client secret')
 			->addOption('discoveryuri', 'd', InputOption::VALUE_REQUIRED, 'OpenID discovery endpoint uri')
-			->addOption('endsessionendpointuri', 'e', InputOption::VALUE_OPTIONAL, 'OpenID end session endpoint uri')
+			->addOption('endsessionendpointuri', 'e', InputOption::VALUE_REQUIRED, 'OpenID end session endpoint uri')
+			->addOption('postlogouturi', 'p', InputOption::VALUE_REQUIRED, 'Post logout URI')
 			->addOption('scope', 'o', InputOption::VALUE_OPTIONAL, 'OpenID requested value scopes, if not set defaults to "openid email profile"');
 		foreach (self::EXTRA_OPTIONS as $name => $option) {
 			$this->addOption($name, $option['shortcut'], $option['mode'], $option['description']);
@@ -194,6 +195,7 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 		}
 		$discoveryuri = $input->getOption('discoveryuri');
 		$endsessionendpointuri = $input->getOption('endsessionendpointuri');
+		$postLogoutUri = $input->getOption('postlogouturi');
 		$scope = $input->getOption('scope');
 
 		if ($identifier === null) {
@@ -203,7 +205,7 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 		// check if any option for updating is provided
 		$updateOptions = array_filter($input->getOptions(), static function ($value, $option) {
 			return in_array($option, [
-				'identifier', 'clientid', 'clientsecret', 'discoveryuri', 'scope',
+				'identifier', 'clientid', 'clientsecret', 'discoveryuri', 'endsessionendpointuri', 'postlogouturi', 'scope',
 				...array_keys(self::EXTRA_OPTIONS),
 			]) && $value !== null;
 		}, ARRAY_FILTER_USE_BOTH);
@@ -243,7 +245,9 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 			$scope = $scope ?? 'openid email profile';
 		}
 		try {
-			$provider = $this->providerMapper->createOrUpdateProvider($identifier, $clientid, $clientsecret, $discoveryuri, $scope, $endsessionendpointuri);
+			$provider = $this->providerMapper->createOrUpdateProvider(
+				$identifier, $clientid, $clientsecret, $discoveryuri, $scope, $endsessionendpointuri, $postLogoutUri
+			);
 			// invalidate JWKS cache (even if it was just created)
 			$this->providerService->setSetting($provider->getId(), ProviderService::SETTING_JWKS_CACHE, '');
 			$this->providerService->setSetting($provider->getId(), ProviderService::SETTING_JWKS_CACHE_TIMESTAMP, '');

lib/Controller/LoginController.php

@@ -656,7 +656,6 @@ public function code(string $state = '', string $code = '', string $scope = '',
 	public function singleLogoutService() {
 		// TODO throttle in all failing cases
 		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
-		$targetUrl = $this->urlGenerator->getAbsoluteURL('/');
 		if (!isset($oidcSystemConfig['single_logout']) || $oidcSystemConfig['single_logout']) {
 			$isFromGS = ($this->config->getSystemValueBool('gs.enabled', false)
 				&& $this->config->getSystemValueString('gss.mode', '') === 'master');
@@ -697,6 +696,7 @@ public function singleLogoutService() {
 				$endSessionEndpoint = $customEndSessionEndpoint ?: $defaultEndSessionEndpoint;
 
 				if ($endSessionEndpoint) {
+					$targetUrl = $provider->getPostLogoutUri() ?: $this->urlGenerator->getAbsoluteURL('/');
 					$endSessionEndpoint .= '?post_logout_redirect_uri=' . $targetUrl;
 					$endSessionEndpoint .= '&client_id=' . $provider->getClientId();
 					$shouldSendIdToken = $this->providerService->getSetting(

lib/Controller/SettingsController.php

@@ -78,7 +78,8 @@ public function isDiscoveryEndpointValid($url) {
 
 	#[PasswordConfirmationRequired]
 	public function createProvider(string $identifier, string $clientId, string $clientSecret, string $discoveryEndpoint,
-		array $settings = [], string $scope = 'openid email profile', ?string $endSessionEndpoint = null): JSONResponse {
+		array $settings = [], string $scope = 'openid email profile', ?string $endSessionEndpoint = null,
+		?string $postLogoutUri = null): JSONResponse {
 		if ($this->providerService->getProviderByIdentifier($identifier) !== null) {
 			return new JSONResponse(['message' => 'Provider with the given identifier already exists'], Http::STATUS_CONFLICT);
 		}
@@ -99,6 +100,7 @@ public function createProvider(string $identifier, string $clientId, string $cli
 		$provider->setClientSecret($encryptedClientSecret);
 		$provider->setDiscoveryEndpoint($discoveryEndpoint);
 		$provider->setEndSessionEndpoint($endSessionEndpoint ?: null);
+		$provider->setPostLogoutUri($postLogoutUri ?: null);
 		$provider->setScope($scope);
 		$provider = $this->providerMapper->insert($provider);
 
@@ -109,7 +111,8 @@ public function createProvider(string $identifier, string $clientId, string $cli
 
 	#[PasswordConfirmationRequired]
 	public function updateProvider(int $providerId, string $identifier, string $clientId, string $discoveryEndpoint, ?string $clientSecret = null,
-		array $settings = [], string $scope = 'openid email profile', ?string $endSessionEndpoint = null): JSONResponse {
+		array $settings = [], string $scope = 'openid email profile', ?string $endSessionEndpoint = null,
+		?string $postLogoutUri = null): JSONResponse {
 		$provider = $this->providerMapper->getProvider($providerId);
 
 		if ($this->providerService->getProviderByIdentifier($identifier) === null) {
@@ -133,6 +136,7 @@ public function updateProvider(int $providerId, string $identifier, string $clie
 		}
 		$provider->setDiscoveryEndpoint($discoveryEndpoint);
 		$provider->setEndSessionEndpoint($endSessionEndpoint ?: null);
+		$provider->setPostLogoutUri($postLogoutUri ?: null);
 		$provider->setScope($scope);
 		$provider = $this->providerMapper->update($provider);
 

lib/Db/Provider.php

@@ -21,25 +21,24 @@
  * @method \void setDiscoveryEndpoint(?string $discoveryEndpoint)
  * @method \string|\null getEndSessionEndpoint()
  * @method \void setEndSessionEndpoint(?string $endSessionEndpoint)
+ * @method \string|\null getPostLogoutUri()
+ * @method \void setPostLogoutUri(?string $postLogoutUri)
  * @method \void setScope(string $scope)
  */
 class Provider extends Entity implements \JsonSerializable {
 
 	/** @var string */
 	protected $identifier;
-
 	/** @var string */
 	protected $clientId;
-
 	/** @var string */
 	protected $clientSecret;
-
 	/** @var ?string */
 	protected $discoveryEndpoint;
-
 	/** @var ?string */
 	protected $endSessionEndpoint;
-
+	/** @var string */
+	protected $postLogoutUri;
 	/** @var string */
 	protected $scope;
 
@@ -53,11 +52,12 @@ public function getScope(): string {
 	#[\ReturnTypeWillChange]
 	public function jsonSerialize() {
 		return [
-			'id' => $this->id,
-			'identifier' => $this->identifier,
-			'clientId' => $this->clientId,
-			'discoveryEndpoint' => $this->discoveryEndpoint,
-			'endSessionEndpoint' => $this->endSessionEndpoint,
+			'id' => $this->getId(),
+			'identifier' => $this->getIdentifier(),
+			'clientId' => $this->getClientId(),
+			'discoveryEndpoint' => $this->getDiscoveryEndpoint(),
+			'endSessionEndpoint' => $this->getEndSessionEndpoint(),
+			'postLogoutUri' => $this->getPostLogoutUri(),
 			'scope' => trim($this->getScope()),
 		];
 	}

lib/Db/ProviderMapper.php

@@ -83,14 +83,15 @@ public function getProviders() {
 	 * @param string|null $discoveryuri
 	 * @param string $scope
 	 * @param string|null $endsessionendpointuri
+	 * @param string|null $postLogoutUri
 	 * @return Provider|Entity
 	 * @throws DoesNotExistException
-	 * @throws MultipleObjectsReturnedException
 	 * @throws Exception
+	 * @throws MultipleObjectsReturnedException
 	 */
 	public function createOrUpdateProvider(string $identifier, ?string $clientid = null,
 		?string $clientsecret = null, ?string $discoveryuri = null, string $scope = 'openid email profile',
-		?string $endsessionendpointuri = null) {
+		?string $endsessionendpointuri = null, ?string $postLogoutUri = null) {
 		try {
 			$provider = $this->findProviderByIdentifier($identifier);
 		} catch (DoesNotExistException $eNotExist) {
@@ -107,6 +108,7 @@ public function createOrUpdateProvider(string $identifier, ?string $clientid = n
 			$provider->setClientSecret($clientsecret);
 			$provider->setDiscoveryEndpoint($discoveryuri);
 			$provider->setEndSessionEndpoint($endsessionendpointuri);
+			$provider->setPostLogoutUri($postLogoutUri);
 			$provider->setScope($scope);
 			return $this->insert($provider);
 		} else {
@@ -122,6 +124,9 @@ public function createOrUpdateProvider(string $identifier, ?string $clientid = n
 			if ($endsessionendpointuri !== null) {
 				$provider->setEndSessionEndpoint($endsessionendpointuri ?: null);
 			}
+			if ($postLogoutUri !== null) {
+				$provider->setPostLogoutUri($postLogoutUri ?: null);
+			}
 			$provider->setScope($scope);
 			return $this->update($provider);
 		}

lib/Migration/Version070500Date20250515141105.php

@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\UserOIDC\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\Types;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+
+/**
+ * Auto-generated migration step: Please modify to your needs!
+ */
+class Version070500Date20250515141105 extends SimpleMigrationStep {
+	/**
+	 * @param IOutput $output
+	 * @param Closure $schemaClosure
+	 * @param array $options
+	 * @return null|ISchemaWrapper
+	 */
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		if ($schema->hasTable('user_oidc_providers')) {
+			$table = $schema->getTable('user_oidc_providers');
+			if (!$table->hasColumn('post_logout_uri')) {
+				$table->addColumn('post_logout_uri', Types::STRING, [
+					'notnull' => false,
+					'length' => 255,
+				]);
+				return $schema;
+			}
+		}
+
+		return null;
+	}
+}

src/components/AdminSettings.vue

@@ -198,6 +198,7 @@ export default {
 				clientSecret: '',
 				discoveryEndpoint: '',
 				endSessionEndpoint: '',
+				postLogoutUri: '',
 				settings: {
 					uniqueUid: true,
 					checkBearer: false,
@@ -323,6 +324,7 @@ export default {
 				this.newProvider.clientSecret = ''
 				this.newProvider.discoveryEndpoint = ''
 				this.newProvider.endSessionEndpoint = ''
+				this.newProvider.postLogoutUri = ''
 				this.showNewProvider = false
 			} catch (error) {
 				logger.error('Could not register a provider: ' + error.message, { error })

src/components/SettingsForm.vue

@@ -52,6 +52,15 @@
 				maxlength="255"
 				placeholder="(Optional)">
 		</p>
+		<p>
+			<label for="oidc-post-logout-uri">{{ t('user_oidc', 'Post logout URI') }}</label>
+			<input id="oidc-post-logout-uri"
+				v-model="localProvider.postLogoutUri"
+				class="italic-placeholder"
+				type="text"
+				maxlength="255"
+				placeholder="(Optional)">
+		</p>
 		<p>
 			<label for="oidc-scope">{{ t('user_oidc', 'Scope') }}</label>
 			<input id="oidc-scope"

tests/unit/Service/ProviderServiceTest.php

@@ -59,6 +59,7 @@ public function testGetProvidersWithSettings() {
 				'clientId' => null,
 				'discoveryEndpoint' => null,
 				'endSessionEndpoint' => null,
+				'postLogoutUri' => null,
 				'scope' => null,
 				'settings' => [
 					'mappingDisplayName' => '1',
@@ -103,6 +104,7 @@ public function testGetProvidersWithSettings() {
 				'clientId' => null,
 				'discoveryEndpoint' => null,
 				'endSessionEndpoint' => null,
+				'postLogoutUri' => null,
 				'scope' => null,
 				'settings' => [
 					'mappingDisplayName' => '1',