Implement session logout in OAuth2Authenticator

core/trino-main/src/main/java/io/trino/server/security/oauth2/NimbusOAuth2Client.java

@@ -61,6 +61,7 @@
 import io.airlift.log.Logger;
 import io.airlift.units.Duration;
 import io.trino.server.security.oauth2.OAuth2ServerConfigProvider.OAuth2ServerConfig;
+import jakarta.ws.rs.core.UriBuilder;
 
 import java.net.MalformedURLException;
 import java.net.URI;
@@ -101,6 +102,7 @@ public class NimbusOAuth2Client
     private URI authUrl;
     private URI tokenUrl;
     private Optional<URI> userinfoUrl;
+    private Optional<URI> endSessionUrl;
     private JWSKeySelector<SecurityContext> jwsKeySelector;
     private JWTProcessor<SecurityContext> accessTokenProcessor;
     private AuthorizationCodeFlow flow;
@@ -128,13 +130,14 @@ public NimbusOAuth2Client(OAuth2Config oauthConfig, OAuth2ServerConfigProvider s
     public void load()
     {
         OAuth2ServerConfig config = serverConfigurationProvider.get();
-        this.authUrl = config.getAuthUrl();
-        this.tokenUrl = config.getTokenUrl();
-        this.userinfoUrl = config.getUserinfoUrl();
+        this.authUrl = config.authUrl();
+        this.tokenUrl = config.tokenUrl();
+        this.userinfoUrl = config.userinfoUrl();
+        this.endSessionUrl = config.endSessionUrl();
         try {
             jwsKeySelector = new JWSVerificationKeySelector<>(
                     Stream.concat(JWSAlgorithm.Family.RSA.stream(), JWSAlgorithm.Family.EC.stream()).collect(toImmutableSet()),
-                    JWKSourceBuilder.create(config.getJwksUrl().toURL(), httpClient).build());
+                    JWKSourceBuilder.create(config.jwksUrl().toURL(), httpClient).build());
         }
         catch (MalformedURLException e) {
             throw new RuntimeException(e);
@@ -148,7 +151,7 @@ public void load()
         DefaultJWTClaimsVerifier<SecurityContext> accessTokenVerifier = new DefaultJWTClaimsVerifier<>(
                 accessTokenAudiences,
                 new JWTClaimsSet.Builder()
-                        .issuer(config.getAccessTokenIssuer().orElse(issuer.getValue()))
+                        .issuer(config.accessTokenIssuer().orElse(issuer.getValue()))
                         .build(),
                 ImmutableSet.of(principalField),
                 ImmutableSet.of());
@@ -189,6 +192,18 @@ public Response refreshTokens(String refreshToken)
         return flow.refreshTokens(refreshToken);
     }
 
+    @Override
+    public Optional<URI> getLogoutEndpoint(Optional<String> idToken, URI callbackUrl)
+    {
+        if (endSessionUrl.isPresent()) {
+            UriBuilder builder = UriBuilder.fromUri(endSessionUrl.get());
+            idToken.ifPresent(token -> builder.queryParam("id_token_hint", token));
+            builder.queryParam("post_logout_redirect_uri", callbackUrl);
+            return Optional.of(builder.build());
+        }
+        return Optional.empty();
+    }
+
     private interface AuthorizationCodeFlow
     {
         Request createAuthorizationRequest(String state, URI callbackUri);

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Client.java

@@ -34,6 +34,8 @@ Response getOAuth2Response(String code, URI callbackUri, Optional<String> nonce)
     Response refreshTokens(String refreshToken)
             throws ChallengeFailedException;
 
+    Optional<URI> getLogoutEndpoint(Optional<String> idToken, URI callbackUrl);
+
     class Request
     {
         private final URI authorizationUri;

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2ServerConfigProvider.java

@@ -22,46 +22,16 @@ public interface OAuth2ServerConfigProvider
 {
     OAuth2ServerConfig get();
 
-    class OAuth2ServerConfig
+    record OAuth2ServerConfig(Optional<String> accessTokenIssuer, URI authUrl, URI tokenUrl, URI jwksUrl, Optional<URI> userinfoUrl, Optional<URI> endSessionUrl)
     {
-        private final Optional<String> accessTokenIssuer;
-        private final URI authUrl;
-        private final URI tokenUrl;
-        private final URI jwksUrl;
-        private final Optional<URI> userinfoUrl;
-
-        public OAuth2ServerConfig(Optional<String> accessTokenIssuer, URI authUrl, URI tokenUrl, URI jwksUrl, Optional<URI> userinfoUrl)
-        {
-            this.accessTokenIssuer = requireNonNull(accessTokenIssuer, "accessTokenIssuer is null");
-            this.authUrl = requireNonNull(authUrl, "authUrl is null");
-            this.tokenUrl = requireNonNull(tokenUrl, "tokenUrl is null");
-            this.jwksUrl = requireNonNull(jwksUrl, "jwksUrl is null");
-            this.userinfoUrl = requireNonNull(userinfoUrl, "userinfoUrl is null");
-        }
-
-        public Optional<String> getAccessTokenIssuer()
-        {
-            return accessTokenIssuer;
-        }
-
-        public URI getAuthUrl()
-        {
-            return authUrl;
-        }
-
-        public URI getTokenUrl()
-        {
-            return tokenUrl;
-        }
-
-        public URI getJwksUrl()
-        {
-            return jwksUrl;
-        }
-
-        public Optional<URI> getUserinfoUrl()
+        public OAuth2ServerConfig
         {
-            return userinfoUrl;
+            requireNonNull(accessTokenIssuer, "accessTokenIssuer is null");
+            requireNonNull(authUrl, "authUrl is null");
+            requireNonNull(tokenUrl, "tokenUrl is null");
+            requireNonNull(jwksUrl, "jwksUrl is null");
+            requireNonNull(userinfoUrl, "userinfoUrl is null");
+            requireNonNull(endSessionUrl, "endSessionUrl is null");
         }
     }
 }

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Service.java

@@ -19,6 +19,7 @@
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwtParser;
 import io.trino.server.ui.OAuth2WebUiInstalled;
+import io.trino.server.ui.OAuthIdTokenCookie;
 import io.trino.server.ui.OAuthWebUiCookie;
 import jakarta.ws.rs.core.Response;
 
@@ -167,29 +168,31 @@ public Response finishOAuth2Challenge(String state, String code, URI callbackUri
             // fetch access token
             OAuth2Client.Response oauth2Response = client.getOAuth2Response(code, callbackUri, nonce);
 
+            Instant cookieExpirationTime = tokenExpiration
+                    .map(expiration -> Instant.now().plus(expiration))
+                    .orElse(oauth2Response.getExpiration());
             if (handlerState.isEmpty()) {
-                return Response
+                Response.ResponseBuilder builder = Response
                         .seeOther(URI.create(UI_LOCATION))
                         .cookie(
-                                OAuthWebUiCookie.create(
-                                        tokenPairSerializer.serialize(
-                                                fromOAuth2Response(oauth2Response)),
-                                                tokenExpiration
-                                                        .map(expiration -> Instant.now().plus(expiration))
-                                                        .orElse(oauth2Response.getExpiration())),
-                                NonceCookie.delete())
-                        .build();
+                                OAuthWebUiCookie.create(tokenPairSerializer.serialize(fromOAuth2Response(oauth2Response)), cookieExpirationTime),
+                                NonceCookie.delete());
+                if (oauth2Response.getIdToken().isPresent()) {
+                    builder.cookie(OAuthIdTokenCookie.create(oauth2Response.getIdToken().get(), cookieExpirationTime));
+                }
+                return builder.build();
             }
 
             tokenHandler.setAccessToken(handlerState.get(), tokenPairSerializer.serialize(fromOAuth2Response(oauth2Response)));
 
             Response.ResponseBuilder builder = Response.ok(getSuccessHtml());
             if (webUiOAuthEnabled) {
                 builder.cookie(
-                        OAuthWebUiCookie.create(
-                                tokenPairSerializer.serialize(fromOAuth2Response(oauth2Response)),
-                                tokenExpiration.map(expiration -> Instant.now().plus(expiration))
-                                        .orElse(oauth2Response.getExpiration())));
+                        OAuthWebUiCookie.create(tokenPairSerializer.serialize(fromOAuth2Response(oauth2Response)), cookieExpirationTime));
+
+                if (oauth2Response.getIdToken().isPresent()) {
+                    builder.cookie(OAuthIdTokenCookie.create(oauth2Response.getIdToken().get(), cookieExpirationTime));
+                }
             }
             return builder.cookie(NonceCookie.delete()).build();
         }

core/trino-main/src/main/java/io/trino/server/security/oauth2/OidcDiscovery.java

@@ -37,6 +37,7 @@
 import static io.airlift.http.client.HttpStatus.TOO_MANY_REQUESTS;
 import static io.trino.server.security.oauth2.StaticOAuth2ServerConfiguration.ACCESS_TOKEN_ISSUER;
 import static io.trino.server.security.oauth2.StaticOAuth2ServerConfiguration.AUTH_URL;
+import static io.trino.server.security.oauth2.StaticOAuth2ServerConfiguration.END_SESSION_URL;
 import static io.trino.server.security.oauth2.StaticOAuth2ServerConfiguration.JWKS_URL;
 import static io.trino.server.security.oauth2.StaticOAuth2ServerConfiguration.TOKEN_URL;
 import static io.trino.server.security.oauth2.StaticOAuth2ServerConfiguration.USERINFO_URL;
@@ -114,6 +115,7 @@ private OAuth2ServerConfig readConfiguration(String body)
             else {
                 userinfoEndpoint = Optional.empty();
             }
+            Optional<URI> endSessionEndpoint = Optional.of(getRequiredField("end_session_endpoint", metadata.getEndSessionEndpointURI(), END_SESSION_URL, Optional.empty()));
             return new OAuth2ServerConfig(
                     // AD FS server can include "access_token_issuer" field in OpenID Provider Metadata.
                     // It's not a part of the OIDC standard thus have to be handled separately.
@@ -122,7 +124,8 @@ private OAuth2ServerConfig readConfiguration(String body)
                     getRequiredField("authorization_endpoint", metadata.getAuthorizationEndpointURI(), AUTH_URL, authUrl),
                     getRequiredField("token_endpoint", metadata.getTokenEndpointURI(), TOKEN_URL, tokenUrl),
                     getRequiredField("jwks_uri", metadata.getJWKSetURI(), JWKS_URL, jwksUrl),
-                    userinfoEndpoint.map(URI::create));
+                    userinfoEndpoint.map(URI::create),
+                    endSessionEndpoint);
         }
         catch (JsonProcessingException e) {
             throw new ParseException("Invalid JSON value", e);

core/trino-main/src/main/java/io/trino/server/security/oauth2/StaticConfigurationProvider.java

@@ -30,7 +30,8 @@ public class StaticConfigurationProvider
                 URI.create(config.getAuthUrl()),
                 URI.create(config.getTokenUrl()),
                 URI.create(config.getJwksUrl()),
-                config.getUserinfoUrl().map(URI::create));
+                config.getUserinfoUrl().map(URI::create),
+                config.getEndSessionUrl().map(URI::create));
     }
 
     @Override

core/trino-main/src/main/java/io/trino/server/security/oauth2/StaticOAuth2ServerConfiguration.java

@@ -26,12 +26,14 @@ public class StaticOAuth2ServerConfiguration
     public static final String TOKEN_URL = "http-server.authentication.oauth2.token-url";
     public static final String JWKS_URL = "http-server.authentication.oauth2.jwks-url";
     public static final String USERINFO_URL = "http-server.authentication.oauth2.userinfo-url";
+    public static final String END_SESSION_URL = "http-server.authentication.oauth2.end-session-url";
 
     private Optional<String> accessTokenIssuer = Optional.empty();
     private String authUrl;
     private String tokenUrl;
     private String jwksUrl;
     private Optional<String> userinfoUrl = Optional.empty();
+    private Optional<String> endSessionUrl = Optional.empty();
 
     @NotNull
     public Optional<String> getAccessTokenIssuer()
@@ -101,4 +103,17 @@ public StaticOAuth2ServerConfiguration setUserinfoUrl(String userinfoUrl)
         this.userinfoUrl = Optional.ofNullable(userinfoUrl);
         return this;
     }
+
+    public Optional<String> getEndSessionUrl()
+    {
+        return endSessionUrl;
+    }
+
+    @Config(END_SESSION_URL)
+    @ConfigDescription("URL of the end session endpoint")
+    public StaticOAuth2ServerConfiguration setEndSessionUrl(String endSessionUrl)
+    {
+        this.endSessionUrl = Optional.ofNullable(endSessionUrl);
+        return this;
+    }
 }

core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java

@@ -45,6 +45,7 @@
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.DISABLED_LOCATION;
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.DISABLED_LOCATION_URI;
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.TRINO_FORM_LOGIN;
+import static io.trino.server.ui.OAuthIdTokenCookie.ID_TOKEN_COOKIE;
 import static io.trino.server.ui.OAuthWebUiCookie.OAUTH2_COOKIE;
 import static jakarta.ws.rs.core.Response.Status.UNAUTHORIZED;
 import static java.util.Objects.requireNonNull;
@@ -163,9 +164,14 @@ private void redirectForNewToken(ContainerRequestContext request, String refresh
     {
         OAuth2Client.Response response = client.refreshTokens(refreshToken);
         String serializedToken = tokenPairSerializer.serialize(TokenPair.fromOAuth2Response(response));
-        request.abortWith(Response.temporaryRedirect(request.getUriInfo().getRequestUri())
-                .cookie(OAuthWebUiCookie.create(serializedToken, tokenExpiration.map(expiration -> Instant.now().plus(expiration)).orElse(response.getExpiration())))
-                .build());
+        Instant newExpirationTime = tokenExpiration.map(expiration -> Instant.now().plus(expiration)).orElse(response.getExpiration());
+        Response.ResponseBuilder builder = Response.temporaryRedirect(request.getUriInfo().getRequestUri())
+                .cookie(OAuthWebUiCookie.create(serializedToken, newExpirationTime));
+
+        OAuthIdTokenCookie.read(request.getCookies().get(ID_TOKEN_COOKIE))
+                .ifPresent(idToken -> builder.cookie(OAuthIdTokenCookie.create(idToken, newExpirationTime)));
+
+        request.abortWith(builder.build());
     }
 
     private void handleAuthenticationFailure(ContainerRequestContext request)

core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiLogoutResource.java

@@ -14,32 +14,63 @@
 package io.trino.server.ui;
 
 import com.google.common.io.Resources;
+import com.google.inject.Inject;
 import io.trino.server.security.ResourceSecurity;
+import io.trino.server.security.oauth2.OAuth2Client;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.SecurityContext;
+import jakarta.ws.rs.core.UriBuilder;
 import jakarta.ws.rs.core.UriInfo;
 
 import java.io.IOException;
+import java.net.URI;
+import java.util.Optional;
 
+import static io.trino.server.security.ResourceSecurity.AccessType.PUBLIC;
 import static io.trino.server.security.ResourceSecurity.AccessType.WEB_UI;
 import static io.trino.server.ui.FormWebUiAuthenticationFilter.UI_LOGOUT;
+import static io.trino.server.ui.OAuthIdTokenCookie.ID_TOKEN_COOKIE;
 import static io.trino.server.ui.OAuthWebUiCookie.delete;
 import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.Objects.requireNonNull;
 
 @Path(UI_LOGOUT)
 public class OAuth2WebUiLogoutResource
 {
+    private final OAuth2Client auth2Client;
+
+    @Inject
+    public OAuth2WebUiLogoutResource(OAuth2Client auth2Client)
+    {
+        this.auth2Client = requireNonNull(auth2Client, "auth2Client is null");
+    }
+
     @ResourceSecurity(WEB_UI)
     @GET
     public Response logout(@Context HttpHeaders httpHeaders, @Context UriInfo uriInfo, @Context SecurityContext securityContext)
             throws IOException
+    {
+        Optional<String> idToken = OAuthIdTokenCookie.read(httpHeaders.getCookies().get(ID_TOKEN_COOKIE));
+        URI callBackUri = UriBuilder.fromUri(uriInfo.getAbsolutePath())
+                .path("logout.html")
+                .build();
+
+        return Response.seeOther(auth2Client.getLogoutEndpoint(idToken, callBackUri).orElse(callBackUri))
+                .cookie(delete(), OAuthIdTokenCookie.delete())
+                .build();
+    }
+
+    @ResourceSecurity(PUBLIC)
+    @GET
+    @Path("/logout.html")
+    public Response logoutPage(@Context HttpHeaders httpHeaders, @Context UriInfo uriInfo, @Context SecurityContext securityContext)
+            throws IOException
     {
         return Response.ok(Resources.toString(Resources.getResource(getClass(), "/oauth2/logout.html"), UTF_8))
-                .cookie(delete())
                 .build();
     }
 }