fixed logout showing non actionable error and session cookie encription key

2026-05-18 22:59:57 +00:00 · 2026-04-29 13:39:39 +02:00
parent ca80057ca5
commit fa0b7bece8
7 changed files with 171 additions and 23 deletions
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -511,13 +511,13 @@ func (p *Provider) SetClientsMFAChain(ctx context.Context, clientIDs []string, m
 // The handler expects requests with path prefix "/oauth2/".
 func (p *Provider) Handler() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// NOTE: by default Dex will use the /logout route to only logout sessions, doesn't invalidate jwt tokens,
-		// to avoid confusion on users, we're not allowing for this, and only enable OIDC logout triggered through
-		// the dashboard which will invalidate both the session and the jwt token
-		//if strings.HasSuffix(r.URL.Path, "/logout") && r.FormValue("id_token_hint") == "" {
-		//http.Redirect(w, r, "/", http.StatusSeeOther)
-		//return
-		//}
+		// Dex's /logout endpoint requires id_token_hint for RP-initiated logout with
+		// post_logout_redirect_uri. If the dashboard calls logout without one, avoid
+		// rendering Dex's non-actionable Bad Request page and send the user home.
+		if strings.HasSuffix(r.URL.Path, "/logout") && r.FormValue("id_token_hint") == "" {
+			http.Redirect(w, r, "/", http.StatusSeeOther)
+			return
+		}

 		p.dexServer.ServeHTTP(w, r)
 	})
--- a/idp/dex/provider_test.go
+++ b/idp/dex/provider_test.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"encoding/json"
 	"log/slog"
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
@@ -144,6 +146,30 @@ func TestEncodeDexUserID_MatchesDexFormat(t *testing.T) {
 	assert.Equal(t, knownEncodedID, reEncoded)
 }

+func TestHandlerRedirectsLogoutWithoutIDTokenHint(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-logout-handler-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	provider, err := NewProvider(ctx, &Config{
+		Issuer:  "http://localhost:5556/oauth2",
+		Port:    5556,
+		DataDir: tmpDir,
+	})
+	require.NoError(t, err)
+	defer func() { _ = provider.Stop(ctx) }()
+
+	req := httptest.NewRequest(http.MethodGet, "/oauth2/logout?post_logout_redirect_uri=https://example.com", nil)
+	rec := httptest.NewRecorder()
+
+	provider.Handler().ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusSeeOther, rec.Code)
+	require.Equal(t, "/", rec.Header().Get("Location"))
+}
+
 func TestCreateUserInTempDB(t *testing.T) {
 	ctx := context.Background()

--- a/idp/dex/web/templates/password.html
+++ b/idp/dex/web/templates/password.html
@@ -18,6 +18,7 @@
                id="login"
                name="login"
                class="nb-input"
+                autocomplete="username"
                placeholder="Enter your {{ .UsernamePrompt | lower }}"
                {{ if .Username }}value="{{ .Username }}"{{ else }}autofocus{{ end }}
                required
@@ -31,6 +32,7 @@
                id="password"
                name="password"
                class="nb-input"
+                autocomplete="current-password"
                placeholder="Enter your password"
                {{ if .Invalid }}autofocus{{ end }}
                required