From 16e43dadc6016da274274e6e09e112a7d5d53d46 Mon Sep 17 00:00:00 2001 From: jnfrati Date: Wed, 8 Apr 2026 16:25:24 +0200 Subject: [PATCH] fix: make sure logout is only prompted from oidc flow Signed-off-by: jnfrati --- idp/dex/provider.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/idp/dex/provider.go b/idp/dex/provider.go index a3e33dce2..2be302589 100644 --- a/idp/dex/provider.go +++ b/idp/dex/provider.go @@ -496,7 +496,17 @@ func (p *Provider) Storage() storage.Storage { // Handler returns the Dex server as an http.Handler for embedding in another server. // The handler expects requests with path prefix "/oauth2/". func (p *Provider) Handler() http.Handler { - return p.dexServer + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // NOTE: by default Dex will use the /logout route to only logout sessions, doesn't invalidate jwt tokens, + // to avoid confusion on users, we're not allowing for this, and only enable OIDC logout triggered through + // the dashboard which will invalidate both the session and the jwt token + if strings.HasSuffix(r.URL.Path, "/logout") && r.FormValue("id_token_hint") == "" { + http.Redirect(w, r, "/", http.StatusSeeOther) + return + } + + p.dexServer.ServeHTTP(w, r) + }) } // CreateUser creates a new user with the given email, username, and password.