fix: use default redirect uri when not passed on end_session endpoint (#4054)

* fix: use default redirect uri when not passed on end_session endpoint

* instance state

docs/docs/apis/openidoauth/endpoints.md

@@ -323,7 +323,7 @@ Send a `client_assertion` as JWT for us to validate the signature against the re
 
 {your_domain}/oauth/v2/introspect
 
-This endpoint enables client to validate an `acccess_token`, either opaque or JWT. Unlike client side JWT validation,
+This endpoint enables clients to validate an `acccess_token`, either opaque or JWT. Unlike client side JWT validation,
 this endpoint will check if the token is not revoked (by client or logout).
 
 | Parameter | Description     |
@@ -499,9 +499,21 @@ curl --request POST \
 
 ## end_session_endpoint
 
-{your_domain}/oidc/v1/endsession
+{your_domain}/oidc/v1/end_session
 
-> The end_session_endpoint is located with the login page, due to the need of accessing the same cookie domain
+The endpoint has to be opened in the user agent (browser) to terminate the user sessions.
+
+No parameters are needed apart from the user agent cookie, but you can provide the following to customize the behaviour: 
+
+| Parameter                | Description                                                                                                                      |
+|--------------------------|----------------------------------------------------------------------------------------------------------------------------------|
+| id_token_hint            | the id_token that was previously issued to the client                                                                            |
+| client_id                | client_id of the application                                                                                                     |
+| post_logout_redirect_uri | Callback uri of the logout where the user (agent) will be redirected to. Must match exactly one of the preregistered in Console. |
+| state                    | Opaque value used to maintain state between the request and the callback                                                         |
+
+The `post_logout_redirect_uri` will be checked against the previously registered uris of the client provided by the `azp` claim of the `id_token_hint` or the `client_id` parameter.
+If both parameters are provided, they must be equal.
 
 ## jwks_uri
 

go.mod

@@ -48,7 +48,7 @@ require (
 	github.com/superseriousbusiness/exifremove v0.0.0-20210330092427-6acd27eac203
 	github.com/ttacon/libphonenumber v1.2.1
 	github.com/zitadel/logging v0.3.4
-	github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.4
+	github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.5
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.27.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.27.0
 	go.opentelemetry.io/otel v1.2.0

go.sum

@@ -865,8 +865,8 @@ github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 github.com/zitadel/logging v0.3.4 h1:9hZsTjMMTE3X2LUi0xcF9Q9EdLo+FAezeu52ireBbHM=
 github.com/zitadel/logging v0.3.4/go.mod h1:aPpLQhE+v6ocNK0TWrBrd363hZ95KcI17Q1ixAQwZF0=
-github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.4 h1:llGVhiHOuI2SXF6yR9s5podxe8n7Md0lpo/9cr37AkU=
-github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.4/go.mod h1:uoJw5Xc6HXfnQbNZiLbld9dED0/8UMu0M4gOipTRZBA=
+github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.5 h1:dP+6SheVtpF4T/oql6mJoqou8jlW3J/9NCTYnEpKgpM=
+github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.5/go.mod h1:uoJw5Xc6HXfnQbNZiLbld9dED0/8UMu0M4gOipTRZBA=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=

internal/api/grpc/instance/converter.go

@@ -28,6 +28,7 @@ func InstanceToPb(instance *query.Instance) *instance_pb.Instance {
 		Name:    instance.Name,
 		Domains: DomainsToPb(instance.Domains),
 		Version: build.Version(),
+		State:   instance_pb.State_STATE_RUNNING, //TODO: change when delete is implemented
 	}
 }
 
@@ -43,6 +44,7 @@ func InstanceDetailToPb(instance *query.Instance) *instance_pb.InstanceDetail {
 		Name:    instance.Name,
 		Domains: DomainsToPb(instance.Domains),
 		Version: build.Version(),
+		State:   instance_pb.State_STATE_RUNNING, //TODO: change when delete is implemented
 	}
 }
 

internal/api/oidc/auth_request.go

@@ -143,12 +143,12 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
 	defer func() { span.EndWithError(err) }()
 	userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
 	if !ok {
-		logging.Log("OIDC-aGh4q").Error("no user agent id")
+		logging.Error("no user agent id")
 		return errors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
 	}
 	userIDs, err := o.repo.UserSessionUserIDsByAgentID(ctx, userAgentID)
 	if err != nil {
-		logging.Log("OIDC-Ghgr3").WithError(err).Error("error retrieving user sessions")
+		logging.WithError(err).Error("error retrieving user sessions")
 		return err
 	}
 	if len(userIDs) == 0 {
@@ -158,7 +158,7 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
 		UserID: userID,
 	}
 	err = o.command.HumansSignOut(authz.SetCtxData(ctx, data), userAgentID, userIDs)
-	logging.Log("OIDC-Dggt2").OnError(err).Error("error signing out")
+	logging.OnError(err).Error("error signing out")
 	return err
 }
 

internal/api/ui/login/static/templates/logout_done.html

@@ -10,7 +10,7 @@
 
     <div class="lgn-actions">
         <span class="fill-space"></span>
-        <button class="primary right" type="submit">{{t "LogoutDone.LoginButtonText"}}</button>
+        <button class="lgn-raised-button lgn-primary right" type="submit">{{t "LogoutDone.LoginButtonText"}}</button>
     </div>
 </form>