OIDC logout action provider incorrectly handles encoded query parameters in the Referer header
Closed this issue · 0 comments
Description
The OIDC logout action provider uses the Referer header when constructing the post_logout_redirect_uri that gets sent to the OIDC auth server. Specifically, it looks for a prevurl
query parameter which identifies the url where the user was before signing out.
The problem is, the action provider blindly url-encodes this prevurl when building the post_logout_redirect_uri. If it was already encoded (which it should be - urls may contain characters that need escaping; it's good practice to encode the prevurl), then it will get double-encoded, which ultimately breaks the "sign in again" link on the logout landing page.
The logout action provider needs to handle encoded query parameters.
Steps to Reproduce
- Install DDF with OIDC as the auth type (will need to set up an OIDC auth server)
- Sign in
- Browse to
https://localhost:8993/logout?service=https://localhost:8993/search/simple
. You should end up on the logout landing page with a "sign in again" link pointing tohttps://localhost:8993/search/simple
- Browse to
https://localhost:8993/logout?service=https%3A%2F%2Flocalhost%3A8993%2Fsearch%2Fsimple
. You should again end up on the logout landing page, but when clicking the "sign in again" link you'll get a 404.
Expected behavior :
When you click "sign in again" DDF should redirect back to the OIDC auth server to sign back in
Actual behavior:
DDF returns a 404
Reproduces how often:
100%