OCA · wluyima · Jun 10, 2024 · Jun 11, 2024 · Jun 11, 2024 · Jun 11, 2024
diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
@@ -9,7 +9,10 @@
 
 from werkzeug.urls import url_decode, url_encode
 
+from odoo import http
 from odoo.addons.auth_oauth.controllers.main import OAuthLogin
+from odoo.addons.web.controllers.main import Session
+from odoo.http import request
 
 _logger = logging.getLogger(__name__)
 
@@ -48,3 +51,28 @@
                     provider["auth_endpoint"], url_encode(params)
                 )
         return providers
+
+
+class OpenIDLogout(Session):
+
+    @http.route("/web/session/logout", type="http", auth="none")
+    def logout(self, redirect="/web/login"):
+        user = request.env["res.users"].sudo().browse(request.session.uid)
+        if user.oauth_provider_id.id:
+            p = request.env["auth.oauth.provider"].sudo().browse(user.oauth_provider_id.id)
+            if p.logout_endpoint:
+                r = redirect
+                if r.find('http') == -1 and r.find('https') == -1:
+                    r = request.env['ir.config_parameter'].sudo().get_param('web.base.url') + r
+                logout_base_url = p.logout_endpoint
+                params = {}
+                if '?' in p.logout_endpoint:
+                    url_parts = p.logout_endpoint.split("?")
+                    logout_base_url = url_parts[0]
+                    params = url_decode(url_parts[1])
+                params["client_id"] = p.client_id
+                params["post_logout_redirect_uri"] = r
+                logout_url = f"{logout_base_url}?{url_encode(params)}"
+                return super().logout(redirect=logout_url)
+        # User has no account with any provider or no logout URL is configured for the provider
+        return super().logout(redirect=redirect)
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
@@ -46,6 +46,11 @@ class AuthOauthProvider(models.Model):
         string="Token URL", help="Required for OpenID Connect authorization code flow."
     )
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
+    logout_endpoint = fields.Char(
+        string="Logout URL",
+        help="Required for OpenID Connect to logout the user in the authorization provider upon logout in the client, "
+             "should be the value of end_session_endpoint specified by the authorization provider"
+    )
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_keys(self, kid):

diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
@@ -18,6 +18,7 @@
             <field name="validation_endpoint" position="after">
                 <field name="token_endpoint" />
                 <field name="jwks_uri" />
+                <field name="logout_endpoint" />
             </field>
         </field>
     </record>