fix: follow IdP end-session redirect on admin sign-out#69
Open
ahmedai1 wants to merge 1 commit into
Open
Conversation
adminLogoutFn POSTs to LibreChat's /api/auth/logout but ignores the
response body. With OPENID_USE_END_SESSION_ENDPOINT=true, that endpoint
returns the IdP end_session URL in { redirect }. Because the response is
discarded, only the local session cookie is cleared and the IdP session
survives. With ADMIN_SSO_ONLY=true the /login page then auto-redirects
back to the IdP, which silently re-authenticates the same account — a
sign-out loop where the user can never sign out or switch accounts.
Parse the logout response and surface redirect; Sidebar.handleLogout
follows it via window.location when present, mirroring LibreChat's own
AuthContext logout handling.
|
|
Contributor
|
@ahmedai1 can you sign the CLA? https://cla-assistant.io/ClickHouse/librechat-admin-panel?pullRequest=69 |
Author
Signed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Fixes #68.
When the admin panel runs with
ADMIN_SSO_ONLY=trueagainst an OpenID provider using RP-initiated logout (OPENID_USE_END_SESSION_ENDPOINT=trueon the LibreChat server), the Sign out button never actually signs you out. It clears the local session, returns to/login, and the page auto-redirects back to the IdP — which still has a live session — silently re-authenticating the same account. The user can never sign out or switch accounts.Root cause
adminLogoutFn(src/server/auth.ts) POSTs to LibreChat's/api/auth/logoutbut ignores the response body. WithOPENID_USE_END_SESSION_ENDPOINT=true, that endpoint returns the IdPend_sessionURL in{ redirect }. Discarding it means only the local cookie is cleared and the IdP session survives.LibreChat's own web client handles this correctly: its
AuthContextlogout handler readsdata.redirectand follows it viawindow.location. This PR mirrors that behaviour in the admin panel.Change
adminLogoutFn: parse the logout response and surfaceredirect.Sidebar.handleLogout: whenredirectis present, follow it viawindow.location; otherwise fall back to the existing/loginnavigation.The response is parsed with a small zod schema (consistent with the existing
refreshResponseSchemapattern in the same file) and the remote logout call stays wrapped in try/catch, so a failed/absent logout response still clears the local session as before.Verification
tsc --noEmitclean.eslint src/server/auth.ts src/components/Sidebar.tsx --max-warnings 0clean.Note
Medium Risk
Changes the logout path for SSO/OpenID deployments; behavior is gated on an optional redirect with the same local-session fallback as before.
Overview
Sign out now completes RP-initiated OpenID logout when the backend returns an IdP end-session URL.
adminLogoutFnparses the LibreChat/api/auth/logoutJSON (optionalredirectvia zod) and returns it after clearing the local session. SidebarhandleLogoutnavigates withwindow.location.hrefwhen that URL is present; otherwise it keeps the existing invalidate +/loginflow. Remote logout failures still only clear the admin cookie, unchanged.Reviewed by Cursor Bugbot for commit 558f4c3. Bugbot is set up for automated code reviews on this repo. Configure here.