resolve comments

Signed-off-by: wang yan <[email protected]>

Author: wy65701436

api/v2.0/swagger.yaml

@@ -9061,9 +9061,6 @@ definitions:
       oidc_logout:
         $ref: '#/definitions/BoolConfigItem'
         description: Extra parameters to logout user session from the OIDC provider
-      oidc_logout_offline:
-        $ref: '#/definitions/BoolConfigItem'
-        description: Extra parameters to logout user offline session from the OIDC provider
       robot_token_duration:
         $ref: '#/definitions/IntegerConfigItem'
         description: The robot account token duration in days
@@ -9343,11 +9340,6 @@ definitions:
         description: Logout OIDC user session
         x-omitempty: true
         x-isnullable: true
-      oidc_logout_offline:
-        type: boolean
-        description: Logout OIDC user offline session
-        x-omitempty: true
-        x-isnullable: true
       robot_token_duration:
         type: integer
         description: The robot account token duration in days

src/common/const.go

@@ -120,7 +120,6 @@ const (
 	OIDCScope                        = "oidc_scope"
 	OIDCUserClaim                    = "oidc_user_claim"
 	OIDCLogout                       = "oidc_logout"
-	OIDCLogoutOffline                = "oidc_logout_offline"
 
 	CfgDriverDB                       = "db"
 	NewHarborAdminName                = "[email protected]"

src/core/controllers/base.go

@@ -121,10 +121,11 @@ func (cc *CommonController) LogOut() {
 		if redirectForOIDC(cc.Ctx.Request.Context(), principal) {
 			u, err := user.Ctl.GetByName(cc.Context(), principal)
 			if err != nil {
-				log.Errorf("Failed to get user by name: %s, error: %v", principal, err)
+				log.Errorf("Error fetching user by name: %s, error: %v", principal, err)
 				cc.CustomAbort(http.StatusInternalServerError, "Internal error.")
 			}
 			if u == nil {
+				log.Errorf("User not found: %s, empty result", principal)
 				cc.CustomAbort(http.StatusInternalServerError, "Internal error.")
 			}
 			if u.UserID != 1 {

src/core/controllers/oidc.go

@@ -288,33 +288,20 @@ func (oc *OIDCController) RedirectLogout() {
 		oc.SendInternalServerError(err)
 		return
 	}
-	if oidcSettings.LogoutOffline && token.RefreshToken != "" {
+	if token.RefreshToken != "" {
 		sessionType, err := getSessionType(token.RefreshToken)
 		if err == nil {
-			// If the session is offline, revoke the refresh token
-			if strings.ToLower(sessionType) == "offline" {
-				if oidc.EndpointsClaims.RevokeURL != "" {
-					if err := revokeOIDCRefreshToken(oidc.EndpointsClaims.RevokeURL, token.RefreshToken, oidcSettings.ClientID, oidcSettings.ClientSecret); err != nil {
-						log.Errorf("Failed to revoke the offline session: %v", err)
-						oc.SendInternalServerError(err)
-						return
-					}
-				} else {
-					log.Warning("Unable to logout OIDC offline session since the 'revoke_endpoint' is not set.")
+			// If the session is offline, try best to revoke the refresh token.
+			if strings.ToLower(sessionType) == "offline" && oidc.EndpointsClaims.RevokeURL != "" {
+				if err := revokeOIDCRefreshToken(oidc.EndpointsClaims.RevokeURL, token.RefreshToken, oidcSettings.ClientID, oidcSettings.ClientSecret); err != nil {
+					log.Warningf("Failed to revoke the offline session: %v", err)
 				}
 			}
-		} else {
-			log.Warningf("Invalid refresh token for offline session: %s, error: %v", token.RefreshToken, err)
 		}
 	}
-
 	if token.RawIDToken == "" {
 		log.Warning("Empty ID token for offline session.")
-		oc.Controller.Redirect(".", http.StatusFound)
-		return
-	}
-	if _, err := oidc.VerifyToken(ctx, token.RawIDToken); err != nil {
-		oc.SendInternalServerError(err)
+		oc.Controller.Redirect("/", http.StatusFound)
 		return
 	}
 	if oidc.EndpointsClaims.EndSessionURL == "" {
@@ -329,7 +316,7 @@ func (oc *OIDCController) RedirectLogout() {
 		oc.SendInternalServerError(err)
 		return
 	}
-	postLogoutRedirectURI := fmt.Sprintf("%s/harbor/projects", baseURL)
+	postLogoutRedirectURI := fmt.Sprintf("%s", baseURL)
 	logoutURL := fmt.Sprintf(
 		"%s?id_token_hint=%s&post_logout_redirect_uri=%s",
 		endSessionURL,
@@ -467,7 +454,7 @@ func revokeOIDCRefreshToken(revokeURL, refreshToken, clientID, clientSecret stri
 		return errors.Errorf("failed to create request: %v", err)
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	req.Header.Set("Authorization", "Basic "+auth)
+	req.SetBasicAuth(clientID, clientSecret)
 	client := &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},

src/lib/config/metadata/metadatalist.go

@@ -148,7 +148,6 @@ var (
 		{Name: common.OIDCAutoOnboard, Scope: UserScope, Group: OIDCGroup, DefaultValue: "false", ItemType: &BoolType{}, Description: `Auto onboard the OIDC user`},
 		{Name: common.OIDCExtraRedirectParms, Scope: UserScope, Group: OIDCGroup, DefaultValue: "{}", ItemType: &StringToStringMapType{}, Description: `Extra parameters to add when redirect request to OIDC provider`},
 		{Name: common.OIDCLogout, Scope: UserScope, Group: OIDCGroup, DefaultValue: "false", ItemType: &BoolType{}, Description: `Enable OIDC logout to log out user session from the identity provider.`},
-		{Name: common.OIDCLogoutOffline, Scope: UserScope, Group: OIDCGroup, DefaultValue: "false", ItemType: &BoolType{}, Description: `Enable OIDC Offline logout to log out offline_access session from the identity provider.`},
 
 		{Name: common.WithTrivy, Scope: SystemScope, Group: BasicGroup, EnvKey: "WITH_TRIVY", DefaultValue: "false", ItemType: &BoolType{}, Editable: true},
 		// the unit of expiration is days

src/lib/config/models/model.go

@@ -45,7 +45,6 @@ type OIDCSetting struct {
 	UserClaim          string            `json:"user_claim"`
 	ExtraRedirectParms map[string]string `json:"extra_redirect_parms"`
 	Logout             bool              `json:"logout"`
-	LogoutOffline      bool              `json:"logout_offline"`
 }
 
 // QuotaSetting wraps the settings for Quota

src/lib/config/test/userconfig_test.go

@@ -247,18 +247,17 @@ y1bQusZMygQezfCuEzsewF+OpANFovCTUEs6s5vyoVNP8lk=
 
 func TestOIDCSetting(t *testing.T) {
 	m := map[string]interface{}{
-		common.OIDCName:          "test",
-		common.OIDCEndpoint:      "https://oidc.test",
-		common.OIDCVerifyCert:    "true",
-		common.OIDCAutoOnboard:   "false",
-		common.OIDCScope:         "openid, profile",
-		common.OIDCGroupsClaim:   "my_group",
-		common.OIDCUserClaim:     "username",
-		common.OIDCCLientID:      "client",
-		common.OIDCClientSecret:  "secret",
-		common.ExtEndpoint:       "https://harbor.test",
-		common.OIDCLogout:        "false",
-		common.OIDCLogoutOffline: "false",
+		common.OIDCName:         "test",
+		common.OIDCEndpoint:     "https://oidc.test",
+		common.OIDCVerifyCert:   "true",
+		common.OIDCAutoOnboard:  "false",
+		common.OIDCScope:        "openid, profile",
+		common.OIDCGroupsClaim:  "my_group",
+		common.OIDCUserClaim:    "username",
+		common.OIDCCLientID:     "client",
+		common.OIDCClientSecret: "secret",
+		common.ExtEndpoint:      "https://harbor.test",
+		common.OIDCLogout:       "false",
 	}
 	InitWithSettings(m)
 	v, e := OIDCSetting(orm.Context())
@@ -274,7 +273,6 @@ func TestOIDCSetting(t *testing.T) {
 	assert.ElementsMatch(t, []string{"openid", "profile"}, v.Scope)
 	assert.Equal(t, "username", v.UserClaim)
 	assert.False(t, v.Logout)
-	assert.False(t, v.LogoutOffline)
 }
 
 func TestSplitAndTrim(t *testing.T) {

src/lib/config/userconfig.go

@@ -178,7 +178,6 @@ func OIDCSetting(ctx context.Context) (*cfgModels.OIDCSetting, error) {
 		UserClaim:          mgr.Get(ctx, common.OIDCUserClaim).GetString(),
 		ExtraRedirectParms: mgr.Get(ctx, common.OIDCExtraRedirectParms).GetStringToStringMap(),
 		Logout:             mgr.Get(ctx, common.OIDCLogout).GetBool(),
-		LogoutOffline:      mgr.Get(ctx, common.OIDCLogoutOffline).GetBool(),
 	}, nil
 }
 

src/portal/src/app/base/left-side-nav/config/auth/config-auth.component.html

@@ -994,34 +994,6 @@
                         [(ngModel)]="currentConfig.oidc_logout.value" />
             </clr-checkbox-wrapper>
         </clr-checkbox-container>
-        <clr-checkbox-container>
-            <label for="oidcLogout"
-            >{{ 'CONFIG.OIDC.OIDC_LOGOUT_OFFLINE' | translate }}
-                <clr-tooltip>
-                    <clr-icon
-                            clrTooltipTrigger
-                            shape="info-circle"
-                            size="24"></clr-icon>
-                    <clr-tooltip-content
-                            clrPosition="top-right"
-                            clrSize="lg"
-                            *clrIfOpen>
-                        <span>{{
-                            'TOOLTIP.OIDC_LOGOUT_OFFLINE' | translate
-                            }}</span>
-                    </clr-tooltip-content>
-                </clr-tooltip>
-            </label>
-            <clr-checkbox-wrapper>
-                <input
-                        type="checkbox"
-                        clrCheckbox
-                        name="oidcLogoutOffline"
-                        id="oidcLogoutOffline"
-                        [disabled]="disabled(currentConfig.oidc_logout_offline)"
-                        [(ngModel)]="currentConfig.oidc_logout_offline.value" />
-            </clr-checkbox-wrapper>
-        </clr-checkbox-container>
         <clr-input-container>
             <label for="oidcUserClaim"
                 >{{ 'CONFIG.OIDC.USER_CLAIM' | translate }}

src/portal/src/app/base/left-side-nav/config/config.ts

@@ -106,7 +106,6 @@ export class Configuration {
     oidc_scope?: StringValueItem;
     oidc_user_claim?: StringValueItem;
     oidc_logout?: BoolValueItem;
-    oidc_logout_offline?: BoolValueItem;
     count_per_project: NumberValueItem;
     storage_per_project: NumberValueItem;
     cfg_expiration: NumberValueItem;
@@ -190,7 +189,6 @@ export class Configuration {
         this.oidc_group_filter = new StringValueItem('', true);
         this.oidc_user_claim = new StringValueItem('', true);
         this.oidc_logout = new BoolValueItem(false, true);
-        this.oidc_logout_offline = new BoolValueItem(false, true);
         this.count_per_project = new NumberValueItem(-1, true);
         this.storage_per_project = new NumberValueItem(-1, true);
         this.audit_log_forward_endpoint = new StringValueItem('', true);