From a8de5b5dfaffa781b8ed3e58dbfa4ab157eadd0f Mon Sep 17 00:00:00 2001
From: "A. Jard" <angelique.jard@filigran.io>
Date: Fri, 27 Sep 2024 14:05:42 +0200
Subject: [PATCH] [backend] Add remote logout_remote value to openId options
 (#7766)

---
 opencti-platform/opencti-graphql/src/config/providers.js  | 3 ++-
 opencti-platform/opencti-graphql/src/http/httpPlatform.js | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/opencti-platform/opencti-graphql/src/config/providers.js b/opencti-platform/opencti-graphql/src/config/providers.js
index 659e1cf3d7e0..aa323b604ec0 100644
--- a/opencti-platform/opencti-graphql/src/config/providers.js
+++ b/opencti-platform/opencti-graphql/src/config/providers.js
@@ -317,7 +317,7 @@ for (let i = 0; i < providerKeys.length; i += 1) {
           }
           // endregion
           const openIdScope = R.uniq(openIdScopes).join(' ');
-          const options = { client, passReqToCallback: true, params: { scope: openIdScope } };
+          const options = { logout_remote: mappedConfig.logout_remote, client, passReqToCallback: true, params: { scope: openIdScope } };
           const debugCallback = (message, meta) => logApp.info(message, meta);
           const openIDStrategy = new OpenIDStrategy(options, debugCallback, (_, tokenset, userinfo, done) => {
             logApp.info('[OPENID] Successfully logged', { userinfo });
@@ -386,6 +386,7 @@ for (let i = 0; i < providerKeys.length; i += 1) {
           openIDStrategy.logout = (_, callback) => {
             const isSpecificUri = isNotEmptyField(config.logout_callback_url);
             const endpointUri = issuer.end_session_endpoint ? issuer.end_session_endpoint : `${config.issuer}/oidc/logout`;
+            logApp.debug(`[OPENID] logout configuration, isSpecificUri:${isSpecificUri}, issuer.end_session_endpoint:${issuer.end_session_endpoint}, final endpointUri: ${endpointUri}`);
             if (isSpecificUri) {
               const logoutUri = `${endpointUri}?post_logout_redirect_uri=${config.logout_callback_url}`;
               callback(null, logoutUri);
diff --git a/opencti-platform/opencti-graphql/src/http/httpPlatform.js b/opencti-platform/opencti-graphql/src/http/httpPlatform.js
index b102fb6bacd1..f77021e7bab4 100644
--- a/opencti-platform/opencti-graphql/src/http/httpPlatform.js
+++ b/opencti-platform/opencti-graphql/src/http/httpPlatform.js
@@ -361,6 +361,7 @@ const createApp = async (app) => {
           const strategy = passport._strategy(provider);
           if (strategy) {
             if (strategy.logout_remote === true && strategy.logout) {
+              logApp.debug('Logout: requesting remote logout using authentication strategy parameters.');
               req.user = user; // Needed for passport
               strategy.logout(req, (error, request) => {
                 if (error) {
@@ -371,6 +372,7 @@ const createApp = async (app) => {
                 }
               });
             } else {
+              logApp.debug('Logout: OpenCTI logout only, remote logout on IDP not requested.');
               res.redirect(referer);
             }
           } else {