store auth plugin name and additional values in session, implement for oidc and enable post logout redirect uri, fixes #5680

Closes #5680

Merge request studip/studip!4310

3 files changed, 73 insertions, 7 deletions

diff --git a/lib/authentication/Manager.php b/lib/authentication/Manager.php
index 4267de4..3514afe 100644
--- a/lib/authentication/Manager.php
+++ b/lib/authentication/Manager.php
@@ -52,7 +52,6 @@ class Manager
         $this->nobody = $allow_nobody;
     }
 
-
     public function start(): bool
     {
         $this->auth =& $_SESSION['auth'];
@@ -81,7 +80,7 @@ class Manager
                         }
                         Metrics::increment('core.sso_login.succeeded');
 
-                        $this->setAuthenticatedUser($user);
+                        $this->setAuthenticatedUser($user, $authplugin->getKeptVariables());
                         sess()->regenerateId(self::DEFAULT_KEPT_SESSION_VARIABLES);
                     } else {
                         PageLayout::postMessage(
@@ -122,7 +121,7 @@ class Manager
 
         //check if the user got kicked meanwhile, or if user is locked out
         $user = null;
-        if (!empty($this->auth['uid']) && $this->auth['uid'] != 'nobody') {
+        if (!empty($this->auth['uid']) && $this->auth['uid'] !== 'nobody') {
             if (isset($GLOBALS['user']) && $GLOBALS['user']->id === $this->auth['uid']) {
                 $user = User::findCurrent();
             } else {
@@ -141,10 +140,21 @@ class Manager
         return $this->auth['uid'] ?? false;
     }
 
-    public function setAuthenticatedUser(User $user): void
+    /**
+     * Sets the authenticated user and initializes global user and permission
+     * objects.
+     *
+     * @param User  $user       The user object representing the authenticated user.
+     * @param array $additional Additional key-value data to store in the authentication context.
+     */
+    public function setAuthenticatedUser(User $user, array $additional = []): void
     {
         $this->auth['uid'] = $user->id;
 
+        foreach ($additional as $key => $value) {
+            $this->auth[$key] = $value;
+        }
+
         $GLOBALS['user'] = new Seminar_User($user);
         $GLOBALS['perm'] = new Seminar_Perm();
     }
@@ -179,4 +189,15 @@ class Manager
             ->setBodyText($mailbody ?? '')
             ->send();
     }
+
+    /**
+     * Retrieves a session variable from the authentication context by its name.
+     *
+     * @param string $name The name of the session variable to retrieve
+     * @return mixed The value of the session variable, or null if it does not exist.
+     */
+    public function getSessionVariable(string $name): mixed
+    {
+        return $this->auth[$name] ?? null;
+    }
 }
diff --git a/lib/classes/auth_plugins/StudipAuthAbstract.php b/lib/classes/auth_plugins/StudipAuthAbstract.php
index c4f9c73..4859ae6 100644
--- a/lib/classes/auth_plugins/StudipAuthAbstract.php
+++ b/lib/classes/auth_plugins/StudipAuthAbstract.php
@@ -108,6 +108,8 @@ class StudipAuthAbstract
 
     private $config_data = [];
 
+    private array $kept_variables = [];
+
     /**
      * static method to instantiate and retrieve a reference to an object (singleton)
      *
@@ -327,12 +329,22 @@ class StudipAuthAbstract
         //get configuration array set in local inc
         if (empty($config)) {
             $this->plugin_name = strtolower(substr(get_class($this), 10));
-            $config = $GLOBALS['STUDIP_AUTH_CONFIG_' . strtoupper($this->plugin_name)];
+            $config = $GLOBALS['STUDIP_AUTH_CONFIG_' . strtoupper($this->plugin_name)] ?? [];
         }
         //assign each key in the config array as a member of the plugin object
         foreach ($config as $key => $value) {
             $this->$key = $value;
         }
+
+        // Store variables in this instance
+        // This is needed for the logout where we cannot obtain these variables
+        // from the session since it is destroyed before the auth's logout is
+        // called
+        $this->kept_variables = array_diff_key(
+            $_SESSION['auth'] ?? [],
+            $this->getKeptVariables()
+
+        );
     }
 
     /**
@@ -592,4 +604,24 @@ class StudipAuthAbstract
     {
         unset($this->config_data[$offset]);
     }
+
+    /**
+     * This method returns an associative array containing specific
+     * variables relevant to the current instance.
+     */
+    public function getKeptVariables(): array
+    {
+        return [
+            'auth_plugin' => $this->plugin_name,
+        ];
+    }
+
+    /**
+     * Returns a variable that was previously kept. Returns null if no content
+     * could be found.
+     */
+    public function getKeptVariable(string $key): mixed
+    {
+        return $this->kept_variables[$key] ?? null;
+    }
 }
diff --git a/lib/classes/auth_plugins/StudipAuthOIDC.php b/lib/classes/auth_plugins/StudipAuthOIDC.php
index 153bd43..e2b9723 100644
--- a/lib/classes/auth_plugins/StudipAuthOIDC.php
+++ b/lib/classes/auth_plugins/StudipAuthOIDC.php
@@ -36,6 +36,8 @@ class StudipAuthOIDC extends StudipAuthSSO
 
     public ?string $redirect_uri = null;
 
+    public ?string $logout_redirect_uri = null;
+
     /**
      * @var string[]
      */
@@ -132,8 +134,19 @@ class StudipAuthOIDC extends StudipAuthSSO
     public function logout(): void
     {
         $this->getClient()->signOut(
-            $this->getClient()->getIdToken(),
-            null
+            $this->getKeptVariable('id_token') ?? '',
+            $this->logout_redirect_uri
         );
     }
+
+    public function getKeptVariables(): array
+    {
+        $variables = parent::getKeptVariables();
+
+        if ($this->getClient()->getIdToken()) {
+            $variables['id_token'] = $this->getClient()->getIdToken();
+        }
+
+        return $variables;
+    }
 }