OIDC logout functionality fixed (#6126)

Signed-off-by: David Kral <david.k.kral@oracle.com>

security/providers/oidc/src/main/java/io/helidon/security/providers/oidc/OidcProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2022 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -253,10 +253,10 @@ public static final class Builder implements io.helidon.common.Builder<OidcProvi
 
         private final HelidonServiceLoader.Builder<TenantConfigProvider> tenantConfigProviders = HelidonServiceLoader
                 .builder(ServiceLoader.load(TenantConfigProvider.class))
-                .defaultPriority(BUILDER_PRIORITY);
+                .defaultPriority(DEFAULT_PRIORITY);
         private final HelidonServiceLoader.Builder<TenantIdProvider> tenantIdProviders = HelidonServiceLoader
                 .builder(ServiceLoader.load(TenantIdProvider.class))
-                .defaultPriority(BUILDER_PRIORITY);
+                .defaultPriority(DEFAULT_PRIORITY);
         private boolean optional = false;
         private OidcConfig oidcConfig;
         private List<TenantIdFinder> tenantIdFinders;

security/providers/oidc/src/main/java/io/helidon/security/providers/oidc/OidcSupport.java

@@ -239,6 +239,7 @@ private void processTenantLogout(ServerRequest req, ServerResponse res, String t
     private void logoutWithTenant(ServerRequest req, ServerResponse res, Tenant tenant) {
         OidcCookieHandler idTokenCookieHandler = oidcConfig.idTokenCookieHandler();
         OidcCookieHandler tokenCookieHandler = oidcConfig.tokenCookieHandler();
+        OidcCookieHandler tenantCookieHandler = oidcConfig.tenantCookieHandler();
 
         Optional<String> idTokenCookie = req.headers()
                 .cookies()
@@ -266,6 +267,7 @@ private void logoutWithTenant(ServerRequest req, ServerResponse res, Tenant tena
                     ResponseHeaders headers = res.headers();
                     headers.addCookie(tokenCookieHandler.removeCookie().build());
                     headers.addCookie(idTokenCookieHandler.removeCookie().build());
+                    headers.addCookie(tenantCookieHandler.removeCookie().build());
 
                     res.status(Http.Status.TEMPORARY_REDIRECT_307)
                             .addHeader(Http.Header.LOCATION, sb.toString())
@@ -451,7 +453,7 @@ private String processJsonResponse(ServerRequest req,
                     .forSingle(builder -> {
                         headers.addCookie(builder.build());
                         if (idToken != null && oidcConfig.logoutEnabled()) {
-                            tokenCookieHandler.createCookie(idToken)
+                            oidcConfig.idTokenCookieHandler().createCookie(idToken)
                                     .forSingle(it -> {
                                         headers.addCookie(it.build());
                                         res.send();

tests/integration/oidc/src/main/java/io/helidon/tests/integration/oidc/TestResource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Oracle and/or its affiliates.
+ * Copyright (c) 2022, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,8 @@
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 
 import io.helidon.security.annotations.Authenticated;
@@ -32,6 +34,7 @@
 public class TestResource {
 
     public static final String EXPECTED_TEST_MESSAGE = "Hello world";
+    public static final String EXPECTED_POST_LOGOUT_TEST_MESSAGE = "Post logout endpoint reached with no cookies";
 
     /**
      * Return hello world message.
@@ -45,5 +48,14 @@ public String getDefaultMessage() {
         return EXPECTED_TEST_MESSAGE;
     }
 
+    @Path("/postLogout")
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    public String postLogout(@Context HttpHeaders httpHeaders) {
+        if (httpHeaders.getCookies().isEmpty()) {
+            return EXPECTED_POST_LOGOUT_TEST_MESSAGE;
+        }
+        return "Cookies are not cleared!";
+    }
 }
 

tests/integration/oidc/src/test/java/io/helidon/tests/integration/oidc/CookieBasedLoginIT.java

@@ -25,6 +25,7 @@
 import org.jsoup.nodes.Document;
 import org.junit.jupiter.api.Test;
 
+import static io.helidon.tests.integration.oidc.TestResource.EXPECTED_POST_LOGOUT_TEST_MESSAGE;
 import static io.helidon.tests.integration.oidc.TestResource.EXPECTED_TEST_MESSAGE;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
@@ -125,6 +126,43 @@ public void testDefaultTenantUsage(WebTarget webTarget) {
         }
     }
 
+    @Test
+    public void testLogoutFunctionality(WebTarget webTarget) {
+        String formUri;
+
+        //greet endpoint is protected, and we need to get JWT token out of the Keycloak. We will get redirected to the Keycloak.
+        try (Response response = client.target(webTarget.getUri()).path("/test")
+                .request()
+                .get()) {
+            assertThat(response.getStatus(), is(Response.Status.OK.getStatusCode()));
+            //We need to get form URI out of the HTML
+            formUri = getRequestUri(response.readEntity(String.class));
+        }
+
+        //Sending authentication to the Keycloak and getting redirected back to the running Helidon app.
+        Entity<Form> form = Entity.form(new Form().param("username", "userone")
+                                                .param("password", "12345")
+                                                .param("credentialId", ""));
+        try (Response response = client.target(formUri).request().post(form)) {
+            assertThat(response.getStatus(), is(Response.Status.OK.getStatusCode()));
+            assertThat(response.readEntity(String.class), is(EXPECTED_TEST_MESSAGE));
+        }
+
+        try (Response response = client.target(webTarget.getUri()).path("/oidc/logout")
+                .request()
+                .get()) {
+            assertThat(response.getStatus(), is(Response.Status.OK.getStatusCode()));
+            assertThat(response.readEntity(String.class), is(EXPECTED_POST_LOGOUT_TEST_MESSAGE));
+        }
+
+        try (Response response = client.target(webTarget.getUri()).path("/oidc/logout")
+                .request()
+                .get()) {
+            //There should be not token present among the cookies since it was cleared by the previous call
+            assertThat(response.getStatus(), is(Response.Status.FORBIDDEN.getStatusCode()));
+        }
+    }
+
     private String getRequestUri(String html) {
         Document document = Jsoup.parse(html);
         return document.getElementById("kc-form-login").attr("action");

tests/integration/oidc/src/test/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022 Oracle and/or its affiliates.
+# Copyright (c) 2022, 2023 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -31,6 +31,8 @@ security:
         redirect-uri: "/oidc/redirect"
         audience: "account"
         header-use: true
+        logout-enabled: true
+        post-logout-uri: "/test/postLogout"
         client-id: "clientOne"
         client-secret: "F5s4VBtMJF3SMdiIRkLEXioM9UPf34OR"
         identity-uri: "http://localhost:8080/realms/test/"