From 201bea6d307660210745b78c7c6ac13ac525da06 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 7 Aug 2022 18:50:24 +0200
Subject: [PATCH] internal: add X-authentik-logout signature to trigger logouts
 when URLs are not exposed

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/outpost/proxyv2/application/application.go | 2 ++
 internal/outpost/proxyv2/application/oauth.go       | 1 +
 internal/web/proxy.go                               | 3 ++-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go
index f3af62616..dc134efc8 100644
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@@ -150,6 +150,8 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if _, set := r.URL.Query()[CallbackSignature]; set {
 				a.handleAuthCallback(w, r)
+			} else if _, set := r.URL.Query()[LogoutSignature]; set {
+				a.handleSignOut(w, r)
 			} else {
 				inner.ServeHTTP(w, r)
 			}
diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go
index 81928781d..b9e246976 100644
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@@ -15,6 +15,7 @@ import (
 const (
 	redirectParam     = "rd"
 	CallbackSignature = "X-authentik-auth-callback"
+	LogoutSignature   = "X-authentik-logout"
 )
 
 func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
diff --git a/internal/web/proxy.go b/internal/web/proxy.go
index b7ebce92a..66a1ece32 100644
--- a/internal/web/proxy.go
+++ b/internal/web/proxy.go
@@ -54,7 +54,8 @@ func (ws *WebServer) configureProxy() {
 		before := time.Now()
 		if ws.ProxyServer != nil {
 			_, oauthCallbackSet := r.URL.Query()[application.CallbackSignature]
-			if ws.ProxyServer.HandleHost(rw, r) || oauthCallbackSet {
+			_, logoutSet := r.URL.Query()[application.LogoutSignature]
+			if ws.ProxyServer.HandleHost(rw, r) || oauthCallbackSet || logoutSet {
 				Requests.With(prometheus.Labels{
 					"dest": "embedded_outpost",
 				}).Observe(float64(time.Since(before)))