Add ability to set a Sign Out URL when using auth proxy

[svh1985]

Feature Description

It would be great if there would be an option to change the logout URL when using the ENABLE_REVERSE_PROXY_AUTHENTICATION setting. This way we can redirect to the Sign Out page of the authentication handler eg: https://auth.domain.com/logout

Screenshots

No response

[lunny]

Why don't redirect it in your reverse proxy configuration file?

[svh1985]

Ahh that's also an approach to do it. You're talking about a redirect or a return?
I'm not a NGINX proxy expert but I found some code online. But the Gitea URL for logging out is something I cannot find.

Do you know what the logout URL is that I can use?

location = /user/logout {
  return 301 https://auth.domain.com/logout;
}

[lunny]

POST /usr/logout

[zeripath]

Why not simply change the head_navbar.tmpl to be the correct logout url?

[svh1985]

Good point. But currently all changes can be done from the config file, adding another parameter for the logoutURL makes implementation (and documentation) a bit easier for Gitea admins.

[zeripath]

I understand but I'm not certain we should jump to make this configurable without allowing other authenticators eg. OAuth2 or LDAP to cascade their logouts too. ​

Although as #17740 would likely require a cascading logout this would be a reason to implement it sooner.

[yoyoyonas]

related / possible duplicate: #14270

[yoyoyonas]

Why not simply change the head_navbar.tmpl to be the correct logout url?

Could you advice me how to achieve logging out from Gitea and from the auth provider?
Since Gitea requires a POST request, I can not solve this simply by letting the auth provider redirect to a Gitea logout URL after logging out there.

So I thought, I can change the data-redirect parameter of the logout action to logout from the provider after logging out from Gitea, from data-redirect="{{AppSubUrl}}/" to data-redirect="https://sso.example.com/auth/realms/master/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fgit.example.com%2F.

gitea/templates/base/head_navbar.tmpl

Lines 179 to 181 in f58e687

	<a class="item link-action" href data-url="{{AppSubUrl}}/user/logout" data-redirect="{{AppSubUrl}}/">
	{{svg "octicon-sign-out"}}
	{{.i18n.Tr "sign_out"}}<!-- Sign Out -->

But still, Gitea redirects me to {{AppSubUrl}}/" after logging out, not to the external URL.
(I checked the site source; the custom template did work.)

[novirium]

Currently it looks like the redirect is actually happening on the server side as a response to the /user/logout POST, so it can't be changed by modifying the frontend.

Adding a config option to be able to set the logout redirect URL in auth.go would solve this problem, and also provide the basic functionality for #16869 and #14270 (while not implementing the full OIDC spec, it's all that's needed for seamless logout for a lot of SSO use cases).

[Baitanik]

any idea when this logout with reverse proxy will get resolved ?
we have ibm webseal as the authenticator and gitea we have ENABLE_REVERSE_PROXY_AUTHENTICATION = true.

but when logout happens from gitea, it does not call logout from webseal..
Please let us know when this will be fixed in gitea

[wxiaoguang]

Dup of #14270 ?