core/authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined (#5060)

authenticate/handlers.go

@@ -237,6 +237,11 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
 		log.Warn(r.Context()).Err(err).Msg("authenticate: failed to get sign out url for authenticator")
 	}
 
+	// if the authenticator failed to sign out, and no sign out url is defined, just go to the signed out page
+	if signOutURL == "" {
+		signOutURL = authenticateSignedOutURL
+	}
+
 	httputil.Redirect(w, r, signOutURL, http.StatusFound)
 	return nil
 }

authenticate/handlers_test.go

@@ -132,6 +132,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 		sessionStore sessions.SessionStore
 		wantCode     int
 		wantBody     string
+		wantLocation string
 	}{
 		{
 			"good post",
@@ -145,6 +146,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://corp.pomerium.io/",
 		},
 		{
 			"signout redirect url",
@@ -158,6 +160,21 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://signout-redirect-url.example.com",
+		},
+		{
+			"empty redirect url",
+			http.MethodPost,
+			nil,
+			"",
+			"",
+			"sig",
+			"ts",
+			identity.MockProvider{SignOutError: oidc.ErrSignoutNotImplemented},
+			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
+			http.StatusFound,
+			"",
+			"https://authenticate.pomerium.app/.pomerium/signed_out",
 		},
 		{
 			"failed revoke",
@@ -171,6 +188,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://corp.pomerium.io/",
 		},
 		{
 			"load session error",
@@ -184,6 +202,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://corp.pomerium.io/",
 		},
 		{
 			"bad redirect uri",
@@ -197,6 +216,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"/corp.pomerium.io/",
 		},
 	}
 	for _, tt := range tests {
@@ -224,7 +244,9 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			params, _ := url.ParseQuery(u.RawQuery)
 			params.Add("sig", tt.sig)
 			params.Add("ts", tt.ts)
+			if tt.redirectURL != "" {
 				params.Add(urlutil.QueryRedirectURI, tt.redirectURL)
+			}
 			u.RawQuery = params.Encode()
 			r := httptest.NewRequest(tt.method, u.String(), nil)
 			state, err := tt.sessionStore.LoadSession(r)
@@ -245,10 +267,8 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			if diff := cmp.Diff(body, tt.wantBody); diff != "" {
 				t.Errorf("handler returned wrong body Body: %s", diff)
 			}
-			if tt.signoutRedirectURL != "" {
 			loc := w.Header().Get("Location")
-				assert.Contains(t, loc, tt.signoutRedirectURL)
+			assert.Equal(t, tt.wantLocation, loc)
-			}
 		})
 	}
 }