OIDC RP Logout: Fixed issues during testing

[bookstack] / app / Access / Oidc / OidcService.php

diff --git a/app/Access/Oidc/OidcService.php b/app/Access/Oidc/OidcService.php
index 3f9cd41b4b36dbefbe75f786f1e7175332f9303c..f1e5b25af1490b9fa2c7c5eed7568d3e5e6ab23d 100644 (file)
--- a/app/Access/Oidc/OidcService.php
+++ b/app/Access/Oidc/OidcService.php
@@ -84,7 +84,7 @@ class OidcService
             'redirectUri'           => url('/oidc/callback'),
             'authorizationEndpoint' => $config['authorization_endpoint'],
             'tokenEndpoint'         => $config['token_endpoint'],
-            'endSessionEndpoint'    => $config['end_session_endpoint'],
+            'endSessionEndpoint'    => is_string($config['end_session_endpoint']) ? $config['end_session_endpoint'] : null,
         ]);
 
         // Use keys if configured
@@ -102,8 +102,11 @@ class OidcService
         }
 
         // Prevent use of RP-initiated logout if specifically disabled
+        // Or force use of a URL if specifically set.
         if ($config['end_session_endpoint'] === false) {
             $settings->endSessionEndpoint = null;
+        } else if (is_string($config['end_session_endpoint'])) {
+            $settings->endSessionEndpoint = $config['end_session_endpoint'];
         }
 
         $settings->validate();
@@ -314,6 +317,8 @@ class OidcService
             'post_logout_redirect_uri' => $defaultLogoutUrl,
         ];
 
-        return $oidcSettings->endSessionEndpoint . '?' . http_build_query($endpointParams);
+        $joiner = str_contains($oidcSettings->endSessionEndpoint, '?') ? '&' : '?';
+
+        return $oidcSettings->endSessionEndpoint . $joiner . http_build_query($endpointParams);
     }
 }