syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [1/2] syncope git commit: [SYNCOPE-1270] OpenID Connect Logout implementation
Date Thu, 10 May 2018 07:43:55 GMT
Repository: syncope
Updated Branches:
  refs/heads/2_0_X d8c3e4ca4 -> c0a3d367d
  refs/heads/master 5d35c0748 -> 3f0c52c46


[SYNCOPE-1270] OpenID Connect Logout implementation


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/c0a3d367
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/c0a3d367
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/c0a3d367

Branch: refs/heads/2_0_X
Commit: c0a3d367da4774d00c474b5cb7813f5c58414db3
Parents: d8c3e4c
Author: dayash <dima.ayash@tirasa.net>
Authored: Wed May 9 13:08:59 2018 +0200
Committer: dayash <dima.ayash@tirasa.net>
Committed: Thu May 10 09:32:10 2018 +0200

----------------------------------------------------------------------
 .../ext/oidcclient/agent/BeforeLogout.java      | 65 +++++++++++++++++++
 .../ext/oidcclient/agent/CodeConsumer.java      |  2 +-
 .../syncope/ext/oidcclient/agent/Constants.java |  4 ++
 .../syncope/ext/oidcclient/agent/Login.java     |  2 +-
 .../syncope/ext/oidcclient/agent/Logout.java    | 67 ++++++++++++++++++++
 .../resources/oidcclient/logoutError.jsp        | 35 ++++++++++
 .../resources/oidcclient/logoutSuccess.jsp      | 27 ++++++++
 .../console/pages/OIDCClientBeforeLogout.java   | 36 +++++++++++
 .../client/console/pages/OIDCClientLogin.java   |  5 ++
 .../client/console/pages/OIDCClientLogout.java  | 38 +++++++++++
 .../wizards/OIDCProviderWizardBuilder.java      | 13 +++-
 .../OIDCProviderWizardBuilder$OPContinue.html   |  1 +
 ...CProviderWizardBuilder$OPContinue.properties |  2 +
 ...oviderWizardBuilder$OPContinue_it.properties |  2 +
 ...derWizardBuilder$OPContinue_pt_BR.properties |  2 +
 ...oviderWizardBuilder$OPContinue_ru.properties |  2 +
 .../enduser/pages/OIDCClientBeforeLogout.java   | 36 +++++++++++
 .../client/enduser/pages/OIDCClientLogin.java   |  5 ++
 .../client/enduser/pages/OIDCClientLogout.java  | 36 +++++++++++
 .../resources/OIDCProvidersResource.java        |  2 -
 .../syncope/common/lib/OIDCConstants.java       |  2 +
 .../common/lib/to/OIDCLoginResponseTO.java      | 50 ++-------------
 .../common/lib/to/OIDCLogoutRequestTO.java      | 41 ++++++++++++
 .../syncope/common/lib/to/OIDCProviderTO.java   | 12 +++-
 .../syncope/core/logic/OIDCClientLogic.java     | 34 ++++++----
 .../syncope/core/logic/OIDCProviderLogic.java   |  3 +-
 .../persistence/api/entity/OIDCProvider.java    |  4 ++
 .../persistence/jpa/entity/JPAOIDCProvider.java | 15 ++++-
 .../java/data/OIDCProviderDataBinderImpl.java   |  2 +
 .../rest/api/service/OIDCClientService.java     | 12 ++++
 .../rest/cxf/service/OIDCClientServiceImpl.java |  6 ++
 .../saml2lsp/agent/AbstractSAML2SPServlet.java  |  2 +-
 .../src/main/webapp/WEB-INF/web.xml             |  9 +++
 .../src/main/webapp/WEB-INF/web.xml             |  9 +++
 34 files changed, 513 insertions(+), 70 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java
new file mode 100644
index 0000000..6925c0e
--- /dev/null
+++ b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.ext.oidcclient.agent;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.UriBuilder;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.syncope.client.lib.SyncopeClient;
+import org.apache.syncope.client.lib.SyncopeClientFactoryBean;
+import org.apache.syncope.common.lib.OIDCConstants;
+import org.apache.syncope.common.lib.to.OIDCLogoutRequestTO;
+import org.apache.syncope.common.rest.api.service.OIDCClientService;
+
+@WebServlet(name = "oidclientbeforelogout", urlPatterns = { "/oidcclient/beforelogout" })
+public class BeforeLogout extends HttpServlet {
+
+    private static final long serialVersionUID = -5920740403138557179L;
+
+    @Override
+    protected void doGet(final HttpServletRequest request, final HttpServletResponse response)
+            throws ServletException, IOException {
+
+        response.setHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store");
+        response.setHeader("Pragma", "no-cache");
+        response.setStatus(HttpServletResponse.SC_SEE_OTHER);
+
+        SyncopeClientFactoryBean clientFactory = (SyncopeClientFactoryBean) request.getServletContext().
+                getAttribute(Constants.SYNCOPE_CLIENT_FACTORY);
+        String accessToken = (String) request.getSession().getAttribute(Constants.OIDCCLIENTJWT);
+        if (StringUtils.isBlank(accessToken)) {
+            throw new IllegalArgumentException("No access token found ");
+        }
+        SyncopeClient client = clientFactory.create(accessToken);
+        OIDCLogoutRequestTO requestTO = client.getService(OIDCClientService.class).
+                createLogoutRequest(request.getSession().getAttribute(OIDCConstants.OP).toString());
+
+        String postLogoutRedirectURI = StringUtils.substringBefore(request.getRequestURL().toString(), "/beforelogout")
+                + "/logout";
+        UriBuilder ub = UriBuilder.fromUri(requestTO.getEndSessionEndpoint());
+        ub.queryParam(OIDCConstants.POST_LOGOUT_REDIRECT_URI, postLogoutRedirectURI);
+        response.setHeader(HttpHeaders.LOCATION, ub.build().toASCIIString());
+    }
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
index 08e9d23..20c39c4 100644
--- a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
+++ b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
@@ -69,7 +69,7 @@ public class CodeConsumer extends HttpServlet {
                     request.setAttribute("responseTO", responseTO);
                     request.getRequestDispatcher("loginSuccess.jsp").forward(request, response);
                 } else {
-                    response.sendRedirect(successURL);
+                    response.sendRedirect(successURL + "?logoutSupported=" + responseTO.isLogoutSupported());
                 }
             } else {
                 throw new IllegalArgumentException("Invalid " + OIDCConstants.STATE + " provided");

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
index 1ff3327..988b7cc 100644
--- a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
+++ b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
@@ -30,6 +30,10 @@ public final class Constants {
 
     public static final String CONTEXT_PARAM_LOGIN_ERROR_URL = "oidcclient.login.error.url";
 
+    public static final String CONTEXT_PARAM_LOGOUT_SUCCESS_URL = "oidcclient.logout.success.url";
+
+    public static final String CONTEXT_PARAM_LOGOUT_ERROR_URL = "oidcclient.logout.error.url";
+
     public static final String OIDCCLIENTJWT = "oidcclient.jwt";
 
     public static final String OIDCCLIENTJWT_EXPIRE = "oidcclient.jwt.expire";

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Login.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Login.java b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Login.java
index 7906506..e05f2f8 100644
--- a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Login.java
+++ b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Login.java
@@ -70,7 +70,7 @@ public class Login extends HttpServlet {
             ub.queryParam(OIDCConstants.RESPONSE_TYPE, requestTO.getResponseType());
             ub.queryParam(OIDCConstants.SCOPE, requestTO.getScope());
             ub.queryParam(OIDCConstants.STATE, requestTO.getState());
-            response.setHeader("Location", ub.build().toASCIIString());
+            response.setHeader(HttpHeaders.LOCATION, ub.build().toASCIIString());
         } catch (Exception e) {
             LOG.error("While preparing the Authentication Request", e);
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Logout.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Logout.java b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Logout.java
new file mode 100644
index 0000000..ab7151d
--- /dev/null
+++ b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Logout.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.ext.oidcclient.agent;
+
+import java.io.IOException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@WebServlet(name = "oidcclientlogout", urlPatterns = { "/oidcclient/logout" })
+public class Logout extends HttpServlet {
+
+    private static final long serialVersionUID = 2383239908659843071L;
+
+    protected static final Logger LOG = LoggerFactory.getLogger(Logout.class);
+
+    @Override
+    protected void doGet(final HttpServletRequest request, final HttpServletResponse response)
+            throws ServletException, IOException {
+
+        try {
+            String successURL = getServletContext().getInitParameter(Constants.CONTEXT_PARAM_LOGOUT_SUCCESS_URL);
+            if (successURL == null) {
+                request.getRequestDispatcher("logoutSuccess.jsp").forward(request, response);
+            } else {
+                response.sendRedirect(successURL);
+            }
+            request.getSession().removeAttribute(Constants.OIDCCLIENTJWT);
+        } catch (Exception e) {
+            LOG.error("While processing authentication response from IdP", e);
+
+            String errorURL = getServletContext().getInitParameter(Constants.CONTEXT_PARAM_LOGOUT_ERROR_URL);
+            if (errorURL == null) {
+                request.setAttribute("exception", e);
+                request.getRequestDispatcher("logoutError.jsp").forward(request, response);
+
+                e.printStackTrace(response.getWriter());
+            } else {
+                response.sendRedirect(errorURL + "?errorMessage="
+                        + URLEncoder.encode(e.getMessage(), StandardCharsets.UTF_8.name()));
+            }
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutError.jsp
----------------------------------------------------------------------
diff --git a/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutError.jsp b/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutError.jsp
new file mode 100644
index 0000000..df0cb3d
--- /dev/null
+++ b/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutError.jsp
@@ -0,0 +1,35 @@
+<%--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+--%>
+<%@page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<%
+    Exception exception = (Exception) request.getAttribute("exception");
+%>
+<html>
+  <head>
+    <title>Apache Syncope ${syncope.version} - OIDC CLIENT - Logout Error</title>
+  </head>
+  <body>
+    <h1>An error was found</h1>
+
+    <h2><%=exception.getMessage()%></h2>
+    <pre>
+      <%exception.printStackTrace(new java.io.PrintWriter(out));%>
+    </pre>
+  </body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutSuccess.jsp
----------------------------------------------------------------------
diff --git a/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutSuccess.jsp b/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutSuccess.jsp
new file mode 100644
index 0000000..ecbdc77
--- /dev/null
+++ b/ext/oidcclient/agent/src/main/resources/META-INF/resources/oidcclient/logoutSuccess.jsp
@@ -0,0 +1,27 @@
+<%--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+--%>
+<%@page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<html>
+  <head>
+    <title>Apache Syncope ${syncope.version} - OIDC CLIENT - Successful Logout</title>
+  </head>
+  <body>
+    <h1>You have been successfully logged out.</h1>
+  </body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientBeforeLogout.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientBeforeLogout.java b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientBeforeLogout.java
new file mode 100644
index 0000000..0a5a766
--- /dev/null
+++ b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientBeforeLogout.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.client.console.pages;
+
+import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.request.UrlUtils;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.handler.RedirectRequestHandler;
+
+public class OIDCClientBeforeLogout extends WebPage {
+
+    private static final long serialVersionUID = 4666948447239743855L;
+
+    public OIDCClientBeforeLogout() {
+        super();
+
+        RequestCycle.get().scheduleRequestHandlerAfterCurrent(new RedirectRequestHandler(
+                UrlUtils.rewriteToContextRelative("oidcclient/beforelogout", RequestCycle.get())));
+    }
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogin.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogin.java b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogin.java
index 41b6cdc..af979d7 100644
--- a/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogin.java
+++ b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogin.java
@@ -52,6 +52,11 @@ public class OIDCClientLogin extends WebPage {
         IAuthenticationStrategy strategy = getApplication().getSecuritySettings().getAuthenticationStrategy();
 
         if (SyncopeConsoleSession.get().authenticate(token)) {
+            if (parameters.get("logoutSupported").toBoolean(false)) {
+                SyncopeConsoleSession.get().setAttribute(
+                        org.apache.syncope.client.console.commons.Constants.BEFORE_LOGOUT_PAGE,
+                        OIDCClientBeforeLogout.class);
+            }
 
             // If login has been called because the user was not yet logged in, than continue to the
             // original destination, otherwise to the Home page

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogout.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogout.java b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogout.java
new file mode 100644
index 0000000..e13b40c
--- /dev/null
+++ b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/pages/OIDCClientLogout.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.client.console.pages;
+
+import org.apache.syncope.client.console.SyncopeConsoleSession;
+import org.apache.wicket.markup.html.WebPage;
+
+public class OIDCClientLogout extends WebPage {
+
+    private static final long serialVersionUID = -4862264444058746154L;
+
+    public OIDCClientLogout() {
+        super();
+
+        SyncopeConsoleSession.get().cleanup();
+
+        SyncopeConsoleSession.get().invalidate();
+
+        setResponsePage(getApplication().getHomePage());
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java
index 2fa465a..9fec11b 100644
--- a/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java
+++ b/ext/oidcclient/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java
@@ -180,7 +180,6 @@ public class OIDCProviderWizardBuilder extends AjaxWizardBuilder<OIDCProviderTO>
 
             final AjaxTextFieldPanel userinfoEndpoint = new AjaxTextFieldPanel("userinfoEndpoint",
                     "userinfoEndpoint", new PropertyModel<String>(opTO, "userinfoEndpoint"));
-            userinfoEndpoint.addRequiredLabel();
             userinfoEndpoint.addValidator(urlValidator);
             content.add(userinfoEndpoint);
 
@@ -196,12 +195,18 @@ public class OIDCProviderWizardBuilder extends AjaxWizardBuilder<OIDCProviderTO>
             jwksUri.addValidator(urlValidator);
             content.add(jwksUri);
 
+            final AjaxTextFieldPanel endSessionEndpoint = new AjaxTextFieldPanel("endSessionEndpoint",
+                    "endSessionEndpoint", new PropertyModel<String>(opTO, "endSessionEndpoint"));
+            endSessionEndpoint.addValidator(urlValidator);
+            content.add(endSessionEndpoint);
+
             final WebMarkupContainer visibleParam = new WebMarkupContainer("visibleParams");
             visibleParam.setOutputMarkupPlaceholderTag(true);
             visibleParam.add(authorizationEndpoint);
             visibleParam.add(userinfoEndpoint);
             visibleParam.add(tokenEndpoint);
             visibleParam.add(jwksUri);
+            visibleParam.add(endSessionEndpoint);
             content.add(visibleParam);
 
             showHide(hasDiscovery, visibleParam);
@@ -256,12 +261,18 @@ public class OIDCProviderWizardBuilder extends AjaxWizardBuilder<OIDCProviderTO>
             jwksUri.setReadOnly(readOnly);
             content.add(jwksUri);
 
+            final AjaxTextFieldPanel endSessionEndpoint = new AjaxTextFieldPanel("endSessionEndpoint",
+                    "endSessionEndpoint", new PropertyModel<String>(opTO, "endSessionEndpoint"));
+            endSessionEndpoint.setReadOnly(readOnly);
+            content.add(endSessionEndpoint);
+
             final WebMarkupContainer visibleParam = new WebMarkupContainer("visibleParams");
             visibleParam.setOutputMarkupPlaceholderTag(true);
             visibleParam.add(authorizationEndpoint);
             visibleParam.add(userinfoEndpoint);
             visibleParam.add(tokenEndpoint);
             visibleParam.add(jwksUri);
+            visibleParam.add(endSessionEndpoint);
             content.add(visibleParam);
         }
     }

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html
index 01da6ec..0f8de21 100644
--- a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html
+++ b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html
@@ -27,6 +27,7 @@ under the License.
         <span wicket:id="tokenEndpoint">[tokenEndpoint]</span>
         <span wicket:id="jwksUri">[jwksUri]</span>
         <span wicket:id="userinfoEndpoint">[userinfoEndpoint]</span>
+        <span wicket:id="endSessionEndpoint">[endSessionEndpoint]</span>
       </div>
     </div>
   </wicket:panel>

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.properties
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.properties b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.properties
index 3f1d085..d41462e 100644
--- a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.properties
+++ b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.properties
@@ -20,6 +20,8 @@ authorizationEndpoint= Authorization Endpoint
 userinfoEndpoint= Userinfo Endpoint
 tokenEndpoint= Token Endpoint
 jwksUri= JWKS URI
+endSessionEndpoint= EndSession Endpoint
+
 
 
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_it.properties
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_it.properties b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_it.properties
index 3f1d085..d41462e 100644
--- a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_it.properties
+++ b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_it.properties
@@ -20,6 +20,8 @@ authorizationEndpoint= Authorization Endpoint
 userinfoEndpoint= Userinfo Endpoint
 tokenEndpoint= Token Endpoint
 jwksUri= JWKS URI
+endSessionEndpoint= EndSession Endpoint
+
 
 
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_pt_BR.properties
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_pt_BR.properties b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_pt_BR.properties
index 3f1d085..d41462e 100644
--- a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_pt_BR.properties
+++ b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_pt_BR.properties
@@ -20,6 +20,8 @@ authorizationEndpoint= Authorization Endpoint
 userinfoEndpoint= Userinfo Endpoint
 tokenEndpoint= Token Endpoint
 jwksUri= JWKS URI
+endSessionEndpoint= EndSession Endpoint
+
 
 
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_ru.properties
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_ru.properties b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_ru.properties
index 3f1d085..d41462e 100644
--- a/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_ru.properties
+++ b/ext/oidcclient/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue_ru.properties
@@ -20,6 +20,8 @@ authorizationEndpoint= Authorization Endpoint
 userinfoEndpoint= Userinfo Endpoint
 tokenEndpoint= Token Endpoint
 jwksUri= JWKS URI
+endSessionEndpoint= EndSession Endpoint
+
 
 
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientBeforeLogout.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientBeforeLogout.java b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientBeforeLogout.java
new file mode 100644
index 0000000..fd22b0e
--- /dev/null
+++ b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientBeforeLogout.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.client.enduser.pages;
+
+import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.request.UrlUtils;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.handler.RedirectRequestHandler;
+
+public class OIDCClientBeforeLogout extends WebPage {
+
+    private static final long serialVersionUID = 4666948447239743855L;
+
+    public OIDCClientBeforeLogout() {
+        super();
+
+        RequestCycle.get().scheduleRequestHandlerAfterCurrent(new RedirectRequestHandler(
+                UrlUtils.rewriteToContextRelative("oidcclient/beforelogout", RequestCycle.get())));
+    }
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogin.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogin.java b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogin.java
index 5aa8578..a6c712a 100644
--- a/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogin.java
+++ b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogin.java
@@ -20,6 +20,7 @@ package org.apache.syncope.client.enduser.pages;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.syncope.client.enduser.SyncopeEnduserSession;
+import org.apache.syncope.client.enduser.commons.Constants;
 import org.apache.wicket.authentication.IAuthenticationStrategy;
 import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
@@ -51,6 +52,10 @@ public class OIDCClientLogin extends WebPage {
         IAuthenticationStrategy strategy = getApplication().getSecuritySettings().getAuthenticationStrategy();
 
         if (SyncopeEnduserSession.get().authenticate(token)) {
+            if (parameters.get("logoutSupported").toBoolean(false)) {
+                SyncopeEnduserSession.get().setAttribute(Constants.BEFORE_LOGOUT, OIDCClientBeforeLogout.class);
+            }
+
             setResponsePage(getApplication().getHomePage());
         } else {
             PageParameters params = new PageParameters();

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogout.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogout.java b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogout.java
new file mode 100644
index 0000000..4a89000
--- /dev/null
+++ b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/pages/OIDCClientLogout.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.client.enduser.pages;
+
+import org.apache.syncope.client.enduser.SyncopeEnduserSession;
+import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+
+public class OIDCClientLogout extends WebPage {
+
+    private static final long serialVersionUID = -1453838909720946011L;
+
+    public OIDCClientLogout(final PageParameters parameters) {
+        super(parameters);
+
+        SyncopeEnduserSession.get().invalidateNow();
+
+        setResponsePage(getApplication().getHomePage());
+    }
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/resources/OIDCProvidersResource.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/resources/OIDCProvidersResource.java b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/resources/OIDCProvidersResource.java
index 3bb2d63..442060e 100644
--- a/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/resources/OIDCProvidersResource.java
+++ b/ext/oidcclient/client-enduser/src/main/java/org/apache/syncope/client/enduser/resources/OIDCProvidersResource.java
@@ -18,8 +18,6 @@
  */
 package org.apache.syncope.client.enduser.resources;
 
-import static org.apache.syncope.client.enduser.resources.BaseResource.MAPPER;
-
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import java.io.IOException;

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
index b0b406a..78b00b6 100644
--- a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
+++ b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
@@ -29,6 +29,8 @@ public final class OIDCConstants {
     public static final String RESPONSE_TYPE = "response_type";
 
     public static final String STATE = "state";
+    
+    public static final String POST_LOGOUT_REDIRECT_URI = "post_logout_redirect_uri";
 
     public static final String REDIRECT_URI = "redirect_uri";
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
index fd356a9..d5e0679 100644
--- a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
+++ b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
@@ -39,15 +39,7 @@ public class OIDCLoginResponseTO extends AbstractBaseBean {
 
     private String username;
 
-    private String email;
-
-    private String name;
-
-    private String subject;
-
-    private String givenName;
-
-    private String familyName;
+    private boolean logoutSupported;
 
     private String accessToken;
 
@@ -63,44 +55,12 @@ public class OIDCLoginResponseTO extends AbstractBaseBean {
         this.username = username;
     }
 
-    public String getEmail() {
-        return email;
-    }
-
-    public void setEmail(final String email) {
-        this.email = email;
-    }
-
-    public String getName() {
-        return name;
-    }
-
-    public void setName(final String name) {
-        this.name = name;
-    }
-
-    public String getSubject() {
-        return subject;
-    }
-
-    public void setSubject(final String subject) {
-        this.subject = subject;
-    }
-
-    public String getGivenName() {
-        return givenName;
-    }
-
-    public void setGivenName(final String givenName) {
-        this.givenName = givenName;
-    }
-
-    public String getFamilyName() {
-        return familyName;
+    public boolean isLogoutSupported() {
+        return logoutSupported;
     }
 
-    public void setFamilyName(final String familyName) {
-        this.familyName = familyName;
+    public void setLogoutSupported(final boolean logoutSupported) {
+        this.logoutSupported = logoutSupported;
     }
 
     public String getAccessToken() {

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLogoutRequestTO.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLogoutRequestTO.java b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLogoutRequestTO.java
new file mode 100644
index 0000000..80d83a1
--- /dev/null
+++ b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLogoutRequestTO.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.to;
+
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import org.apache.syncope.common.lib.AbstractBaseBean;
+
+@XmlRootElement(name = "oidcLogoutRequest")
+@XmlType
+public class OIDCLogoutRequestTO extends AbstractBaseBean {
+
+    private static final long serialVersionUID = -4708360216757961537L;
+
+    private String endSessionEndpoint;
+
+    public String getEndSessionEndpoint() {
+        return endSessionEndpoint;
+    }
+
+    public void setEndSessionEndpoint(final String endSessionEndpoint) {
+        this.endSessionEndpoint = endSessionEndpoint;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCProviderTO.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCProviderTO.java b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCProviderTO.java
index 2bb88aa..699147e 100644
--- a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCProviderTO.java
+++ b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCProviderTO.java
@@ -56,6 +56,8 @@ public class OIDCProviderTO extends AbstractBaseBean implements EntityTO, ItemCo
 
     private String userinfoEndpoint;
 
+    private String endSessionEndpoint;
+
     private boolean hasDiscovery;
 
     private UserTO userTemplate;
@@ -143,6 +145,14 @@ public class OIDCProviderTO extends AbstractBaseBean implements EntityTO, ItemCo
         this.userinfoEndpoint = userinfoEndpoint;
     }
 
+    public String getEndSessionEndpoint() {
+        return endSessionEndpoint;
+    }
+
+    public void setEndSessionEndpoint(final String endSessionEndpoint) {
+        this.endSessionEndpoint = endSessionEndpoint;
+    }
+
     public UserTO getUserTemplate() {
         return userTemplate;
     }
@@ -174,8 +184,6 @@ public class OIDCProviderTO extends AbstractBaseBean implements EntityTO, ItemCo
     public void setUpdateMatching(final boolean updateMatching) {
         this.updateMatching = updateMatching;
     }
-    
-    
 
     @Override
     public ItemTO getConnObjectKeyItem() {

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java b/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
index b56a819..c96f79f 100644
--- a/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
+++ b/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
@@ -41,6 +41,7 @@ import org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider;
 import org.apache.cxf.rs.security.oauth2.client.Consumer;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oidc.common.AbstractUserInfo;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.common.UserInfo;
 import org.apache.cxf.rs.security.oidc.rp.IdTokenReader;
@@ -50,6 +51,7 @@ import org.apache.syncope.common.lib.SyncopeClientException;
 import org.apache.syncope.common.lib.to.AttrTO;
 import org.apache.syncope.common.lib.to.OIDCLoginRequestTO;
 import org.apache.syncope.common.lib.to.OIDCLoginResponseTO;
+import org.apache.syncope.common.lib.to.OIDCLogoutRequestTO;
 import org.apache.syncope.common.lib.types.CipherAlgorithm;
 import org.apache.syncope.common.lib.types.ClientExceptionType;
 import org.apache.syncope.common.lib.types.StandardEntitlement;
@@ -146,24 +148,22 @@ public class OIDCClientLogic extends AbstractTransactionalLogic<AbstractBaseBean
             throw sce;
         }
 
-        // 1. get OpenID Connect tokens
         Consumer consumer = new Consumer(op.getClientID(), op.getClientSecret());
 
         // 2. validate token
         LOG.debug("Id Token to be validated: {}", tokenEndpointResponse.getIdToken());
         IdToken idToken = getValidatedIdToken(op, consumer, tokenEndpointResponse.getIdToken());
 
-        // 3. extract user information
-        UserInfo userInfo = getUserInfo(op, tokenEndpointResponse.getAccessToken(), idToken, consumer);
-
-        // 4. prepare the result: find matching user (if any) and return the received attributes
+        // 3. prepare the result:
         final OIDCLoginResponseTO responseTO = new OIDCLoginResponseTO();
-        responseTO.setEmail(userInfo.getEmail());
-        responseTO.setFamilyName(userInfo.getFamilyName());
-        responseTO.setGivenName(userInfo.getGivenName());
-        responseTO.setName(userInfo.getName());
-        responseTO.setSubject(userInfo.getSubject());
+        responseTO.setLogoutSupported(StringUtils.isNotBlank(op.getEndSessionEndpoint()));
+
+        // 3a. extract user info from userInfoEndpoint if exists otherwise from idToken
+        AbstractUserInfo userInfo = StringUtils.isBlank(op.getUserinfoEndpoint())
+                ? idToken
+                : getUserInfo(op.getUserinfoEndpoint(), tokenEndpointResponse.getAccessToken(), idToken, consumer);
 
+        // 3b. find matching user (if any) and return the received attributes
         String keyValue = userInfo.getEmail();
         for (OIDCProviderItem item : op.getItems()) {
             AttrTO attrTO = new AttrTO();
@@ -347,7 +347,7 @@ public class OIDCClientLogic extends AbstractTransactionalLogic<AbstractBaseBean
 
         responseTO.setUsername(username);
 
-        // 5. generate JWT for further access
+        // 4. generate JWT for further access
         Map<String, Object> claims = new HashMap<>();
         claims.put(JWT_CLAIM_OP_ENTITYID, idToken.getIssuer());
         claims.put(JWT_CLAIM_USERID, idToken.getSubject());
@@ -405,13 +405,12 @@ public class OIDCClientLogic extends AbstractTransactionalLogic<AbstractBaseBean
     }
 
     private UserInfo getUserInfo(
-            final OIDCProvider op,
+            final String endpoint,
             final String accessToken,
             final IdToken idToken,
             final Consumer consumer) {
 
-        WebClient userInfoServiceClient = WebClient.create(
-                op.getUserinfoEndpoint(), Arrays.asList(new JsonMapObjectProvider())).
+        WebClient userInfoServiceClient = WebClient.create(endpoint, Arrays.asList(new JsonMapObjectProvider())).
                 accept(MediaType.APPLICATION_JSON);
         ClientAccessToken clientAccessToken =
                 new ClientAccessToken(OAuthConstants.BEARER_AUTHORIZATION_SCHEME, accessToken);
@@ -429,6 +428,13 @@ public class OIDCClientLogic extends AbstractTransactionalLogic<AbstractBaseBean
         return userInfo;
     }
 
+    @PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS + "'))")
+    public OIDCLogoutRequestTO createLogoutRequest(final String op) {
+        OIDCLogoutRequestTO logoutRequest = new OIDCLogoutRequestTO();
+        logoutRequest.setEndSessionEndpoint(getOIDCProvider(op).getEndSessionEndpoint());
+        return logoutRequest;
+    }
+
     @Override
     protected AbstractBaseBean resolveReference(
             final Method method, final Object... args) throws UnresolvedReferenceException {

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCProviderLogic.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCProviderLogic.java b/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCProviderLogic.java
index 17873f3..26edcdd 100644
--- a/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCProviderLogic.java
+++ b/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCProviderLogic.java
@@ -18,8 +18,6 @@
  */
 package org.apache.syncope.core.logic;
 
-import static org.apache.syncope.core.logic.AbstractLogic.LOG;
-
 import com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider;
 import java.lang.reflect.Method;
 import java.util.ArrayList;
@@ -80,6 +78,7 @@ public class OIDCProviderLogic extends AbstractTransactionalLogic<OIDCProviderTO
         opTO.setJwksUri(discoveryDocument.getJwksUri());
         opTO.setTokenEndpoint(discoveryDocument.getTokenEndpoint());
         opTO.setUserinfoEndpoint(discoveryDocument.getUserinfoEndpoint());
+        opTO.setEndSessionEndpoint(discoveryDocument.getEndSessionEndpoint());
 
         return create(opTO);
     }

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCProvider.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCProvider.java b/ext/oidcclient/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCProvider.java
index cf30781..7759369 100644
--- a/ext/oidcclient/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCProvider.java
+++ b/ext/oidcclient/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCProvider.java
@@ -54,6 +54,10 @@ public interface OIDCProvider extends Entity {
     String getUserinfoEndpoint();
 
     void setUserinfoEndpoint(String userinfoEndpoint);
+    
+    String getEndSessionEndpoint();
+
+    void setEndSessionEndpoint(String endSessionEndpoint);
 
     boolean getHasDiscovery();
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCProvider.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCProvider.java b/ext/oidcclient/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCProvider.java
index 5ea6468..cfd8ccc 100644
--- a/ext/oidcclient/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCProvider.java
+++ b/ext/oidcclient/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCProvider.java
@@ -71,8 +71,11 @@ public class JPAOIDCProvider extends AbstractGeneratedKeyEntity implements OIDCP
     @Column(nullable = false)
     private String issuer;
 
-    @Column(nullable = false)
+    @Column(nullable = true)
     private String userinfoEndpoint;
+    
+    @Column(nullable = true)
+    private String endSessionEndpoint;
 
     @Column(nullable = false)
     private boolean hasDiscovery;
@@ -179,6 +182,16 @@ public class JPAOIDCProvider extends AbstractGeneratedKeyEntity implements OIDCP
     public void setUserinfoEndpoint(final String userinfoEndpoint) {
         this.userinfoEndpoint = userinfoEndpoint;
     }
+    
+    @Override
+    public String getEndSessionEndpoint() {
+        return endSessionEndpoint;
+    }
+
+    @Override
+    public void setEndSessionEndpoint(final String endSessionEndpoint) {
+        this.endSessionEndpoint = endSessionEndpoint;
+    }
 
     @Override
     public boolean getHasDiscovery() {

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCProviderDataBinderImpl.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCProviderDataBinderImpl.java b/ext/oidcclient/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCProviderDataBinderImpl.java
index 6cfa235..0f01eac 100644
--- a/ext/oidcclient/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCProviderDataBinderImpl.java
+++ b/ext/oidcclient/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCProviderDataBinderImpl.java
@@ -182,6 +182,7 @@ public class OIDCProviderDataBinderImpl implements OIDCProviderDataBinder {
         op.setJwksUri(opTO.getJwksUri());
         op.setTokenEndpoint(opTO.getTokenEndpoint());
         op.setUserinfoEndpoint(opTO.getUserinfoEndpoint());
+        op.setEndSessionEndpoint(opTO.getEndSessionEndpoint());
         op.setHasDiscovery(opTO.getHasDiscovery());
         op.setCreateUnmatching(opTO.isCreateUnmatching());
         op.setUpdateMatching(opTO.isUpdateMatching());
@@ -248,6 +249,7 @@ public class OIDCProviderDataBinderImpl implements OIDCProviderDataBinder {
         opTO.setJwksUri(op.getJwksUri());
         opTO.setTokenEndpoint(op.getTokenEndpoint());
         opTO.setUserinfoEndpoint(op.getUserinfoEndpoint());
+        opTO.setEndSessionEndpoint(op.getEndSessionEndpoint());
         opTO.setHasDiscovery(op.getHasDiscovery());
         opTO.setCreateUnmatching(op.isCreateUnmatching());
         opTO.setUpdateMatching(op.isUpdateMatching());

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/rest-api/src/main/java/org/apache/syncope/common/rest/api/service/OIDCClientService.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/rest-api/src/main/java/org/apache/syncope/common/rest/api/service/OIDCClientService.java b/ext/oidcclient/rest-api/src/main/java/org/apache/syncope/common/rest/api/service/OIDCClientService.java
index 5585502..af9c77f 100644
--- a/ext/oidcclient/rest-api/src/main/java/org/apache/syncope/common/rest/api/service/OIDCClientService.java
+++ b/ext/oidcclient/rest-api/src/main/java/org/apache/syncope/common/rest/api/service/OIDCClientService.java
@@ -29,6 +29,7 @@ import org.apache.syncope.common.lib.OIDCConstants;
 import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.OIDCLoginRequestTO;
 import org.apache.syncope.common.lib.to.OIDCLoginResponseTO;
+import org.apache.syncope.common.lib.to.OIDCLogoutRequestTO;
 
 /**
  * REST operations for OpenID Connect Clients.
@@ -71,4 +72,15 @@ public interface OIDCClientService extends JAXRSService {
             @QueryParam("authorizationCode") String authorizationCode,
             @QueryParam(OIDCConstants.OP) String op);
 
+    /**
+     * Returns the endSession endpoint for the provided op.
+     *
+     * @param op OpenID Connect Provider
+     * @return endSession endpoint for the provided op
+     */
+    @POST
+    @Path("logout")
+    @Produces({ MediaType.APPLICATION_JSON, SyncopeConstants.APPLICATION_YAML, MediaType.APPLICATION_XML })
+    OIDCLogoutRequestTO createLogoutRequest(@QueryParam(OIDCConstants.OP) String op);
+
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/oidcclient/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/OIDCClientServiceImpl.java
----------------------------------------------------------------------
diff --git a/ext/oidcclient/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/OIDCClientServiceImpl.java b/ext/oidcclient/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/OIDCClientServiceImpl.java
index 74c14b9..f86de45 100644
--- a/ext/oidcclient/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/OIDCClientServiceImpl.java
+++ b/ext/oidcclient/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/OIDCClientServiceImpl.java
@@ -24,6 +24,7 @@ import org.apache.syncope.core.logic.OIDCClientLogic;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.apache.syncope.common.lib.to.OIDCLoginResponseTO;
+import org.apache.syncope.common.lib.to.OIDCLogoutRequestTO;
 
 @Service
 public class OIDCClientServiceImpl extends AbstractServiceImpl implements OIDCClientService {
@@ -41,4 +42,9 @@ public class OIDCClientServiceImpl extends AbstractServiceImpl implements OIDCCl
         return logic.login(redirectURI, authorizationCode, op);
     }
 
+    @Override
+    public OIDCLogoutRequestTO createLogoutRequest(final String op) {
+        return logic.createLogoutRequest(op);
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/AbstractSAML2SPServlet.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/AbstractSAML2SPServlet.java b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/AbstractSAML2SPServlet.java
index f2bbabf..574d91e 100644
--- a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/AbstractSAML2SPServlet.java
+++ b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/AbstractSAML2SPServlet.java
@@ -55,7 +55,7 @@ public abstract class AbstractSAML2SPServlet extends HttpServlet {
                 ub.queryParam(SSOConstants.SIGNATURE, requestTO.getSignature());
 
                 response.setStatus(HttpServletResponse.SC_SEE_OTHER);
-                response.setHeader("Location", ub.build().toASCIIString());
+                response.setHeader(HttpHeaders.LOCATION, ub.build().toASCIIString());
                 break;
 
             case POST:

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/fit/console-reference/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/fit/console-reference/src/main/webapp/WEB-INF/web.xml b/fit/console-reference/src/main/webapp/WEB-INF/web.xml
index 1dc41d1..4bfe198 100644
--- a/fit/console-reference/src/main/webapp/WEB-INF/web.xml
+++ b/fit/console-reference/src/main/webapp/WEB-INF/web.xml
@@ -62,6 +62,15 @@ under the License.
     <param-name>oidcclient.login.error.url</param-name>
     <param-value>../wicket/bookmarkable/org.apache.syncope.client.console.pages.Login</param-value>
   </context-param>
+  
+  <context-param>
+    <param-name>oidcclient.logout.success.url</param-name>
+    <param-value>../wicket/bookmarkable/org.apache.syncope.client.console.pages.OIDCClientLogout</param-value>
+  </context-param>
+  <context-param>
+    <param-name>oidcclient.logout.error.url</param-name>
+    <param-value>../wicket/bookmarkable/org.apache.syncope.client.console.pages.Login</param-value>
+  </context-param>
 
   <!-- SESSION TIMEOUT (MINUTES)-->
   <session-config>

http://git-wip-us.apache.org/repos/asf/syncope/blob/c0a3d367/fit/enduser-reference/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/fit/enduser-reference/src/main/webapp/WEB-INF/web.xml b/fit/enduser-reference/src/main/webapp/WEB-INF/web.xml
index 81a7651..03444d2 100644
--- a/fit/enduser-reference/src/main/webapp/WEB-INF/web.xml
+++ b/fit/enduser-reference/src/main/webapp/WEB-INF/web.xml
@@ -61,6 +61,15 @@ under the License.
     <param-name>oidcclient.login.error.url</param-name>
     <param-value>../wicket/bookmarkable/org.apache.syncope.client.enduser.pages.HomePage</param-value>
   </context-param>
+  
+  <context-param>
+    <param-name>oidcclient.logout.success.url</param-name>
+    <param-value>../wicket/bookmarkable/org.apache.syncope.client.enduser.pages.OIDCClientLogout</param-value>
+  </context-param>
+  <context-param>
+    <param-name>oidcclient.logout.error.url</param-name>
+    <param-value>../wicket/bookmarkable/org.apache.syncope.client.enduser.pages.HomePage</param-value>
+  </context-param>
 
 
   <!-- SESSION TIMEOUT (MINUTES)-->


Mime
View raw message