apache · monkeyDluffy6017 · Dec 25, 2023 · Dec 15, 2023 · Dec 15, 2023 · Dec 15, 2023
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -440,15 +440,30 @@ function _M.rewrite(plugin_conf, ctx)
         conf.timeout = conf.timeout * 1000
     end
 
+    local path = ctx.var.request_uri
+
     if not conf.redirect_uri then
-        conf.redirect_uri = ctx.var.request_uri
+        conf.redirect_uri = path
     end
 
     if not conf.ssl_verify then
         -- openidc use "no" to disable ssl verification
         conf.ssl_verify = "no"
     end
 
+    if path == (conf.logout_path or "/logout") then
+        local discovery, discovery_err =openidc.get_discovery_doc(conf)
+        if discovery_err then
+            core.log.error("OIDC access discovery url failed : ", discovery_err)
+            return 500
+        end
+        if conf.post_logout_redirect_uri and not discovery.end_session_endpoint then
+            -- openidc does not support end_session_endpoint configuration
+            -- using post_logout_redirect_uri for redirection
+            conf.redirect_after_logout_uri = conf.post_logout_redirect_uri
+        end
+    end
+
     local response, err, session, _
 
     if conf.bearer_only or conf.introspection_endpoint or conf.public_key then
@@ -504,7 +519,7 @@ function _M.rewrite(plugin_conf, ctx)
         -- provider's authorization endpoint to initiate the Relying Party flow.
         -- This code path also handles when the ID provider then redirects to
         -- the configured redirect URI after successful authentication.
-        response, err, _, session  = openidc.authenticate(conf, nil, unauth_action, conf.session)
+        response, err, _, session  = openidc.authenticate(conf, path, unauth_action, conf.session)
 
         if err then
             if err == "unauthorized request" then

diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md
@@ -43,7 +43,7 @@ description: OpenID Connect allows the client to obtain user information from th
 | realm                                | string   | False    | "apisix"              |              | Realm used for authentication.                                                                                                                                                                                                        |
 | bearer_only                          | boolean  | False    | false                 |              | When set to `true`, APISIX will only check if the authorization header in the request matches a bearer token.                                                                                                                         |
 | logout_path                          | string   | False    | "/logout"             |              | Path for logging out.                                                                                                                                                                                                                 |
-| post_logout_redirect_uri             | string   | False    |                       |              | URL to redirect to after logging out.                                                                                                                                                                                                 |
+| post_logout_redirect_uri             | string   | False    |                       |              | URL to redirect to after logging out. If the OIDC discovery endpoint does not provide an [`end_session_endpoint`](https://openid.net/specs/openid-connect-rpinitiated-1_0.html), the plugin internally redirects using the [`redirect_after_logout_uri`](https://github.com/zmartzone/lua-resty-openidc). Otherwise, it redirects using the [`post_logout_redirect_uri`](https://openid.net/specs/openid-connect-rpinitiated-1_0.html). |
 | redirect_uri                         | string   | False    | "ngx.var.request_uri" |              | URI to which the identity provider redirects back to.                                                                                                                                                                                 |
 | timeout                              | integer  | False    | 3                     | [1,...]      | Request timeout time in seconds.                                                                                                                                                                                                      |
 | ssl_verify                           | boolean  | False    | false                 |              | When set to true, verifies the identity provider's SSL certificates.                                                                                                                                                                  |

diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md
@@ -42,7 +42,7 @@ description: OpenID Connect（OIDC）是基于 OAuth 2.0 的身份认证协议
 | realm                                | string  | 否     | "apisix"              |               | bearer token 无效时 [`WWW-Authenticate` 响应头](https://www.rfc-editor.org/rfc/rfc6750#section-3)中会伴随着的 `realm` 讯息。                                                                                |
 | bearer_only                          | boolean | 否     | false                 |               | 当设置为 `true` 时，将仅检查请求头中的令牌（Token）。                                               |
 | logout_path                          | string  | 否     | "/logout"             |               | 登出路径。                                                                                        |
-| post_logout_redirect_uri             | string  | 否     |                       |               | 调用登出接口后想要跳转的 URL。                                                                     |
+| post_logout_redirect_uri             | string  | 否     |                       |               | 调用登出接口后想要跳转的 URL。如果 OIDC 的服务发现端点没有提供 [`end_session_endpoint`](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) ，插件内部会使用 [`redirect_after_logout_uri`](https://github.com/zmartzone/lua-resty-openidc) 进行重定向，否则使用 [`post_logout_redirect_uri`](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) 进行重定向。 |
 | redirect_uri                         | string  | 否     | "ngx.var.request_uri" |               | 身份提供者重定向返回的 URI。                                                                       |
 | timeout                              | integer | 否     | 3                     | [1,...]       | 请求超时时间，单位为秒                                                                             |
 | ssl_verify                           | boolean | 否     | false                 | [true, false] | 当设置为 `true` 时，验证身份提供者的 SSL 证书。                                                     |