Sign out idp_client_id per route

[dennissetiawan]

What happened?

Related to this PR, I used auth0 as idp , and we need to pass different client_id for each route if we want different applications to go to different sign out redirect url . Right now pomerium only get the global idp_client_id and do not get the idp_client_id per route.

logoutQuery := url.Values{
		"client_id": {oa.ClientID},
}

What did you expect to happen?

The route idp_client_id config can override the global idp_client_id

What's your config.yaml?

authenticate_service_url: https://pom-auth.benchandra.dev
  #authenticate_service_url: https://authenticate.pomerium.app
routes:
  - from: 'https://test-1.dev'
    to: 'https://httpbin.org/get'
    allow_any_authenticated_user: true
    cors_allow_preflight: true
    idp_client_id: 'CLIENT_ID_1' # from the web application
    idp_client_secret: 'aaaaaaaaa' # from the web application
    set_request_headers:
      x-pomerium-idp-id-token: ${pomerium.id_token}
      x-pomerium-idp-access-token: ${pomerium.access_token}
      x-pomerium-client-cert-fingerprint: ${pomerium.client_cert_fingerprint}
    pass_identity_headers: true
  - from: 'https://test-2.dev'
    to: 'https://httpbin.org/get'
    idp_client_id: 'CLIENT_ID_2' # from the web application
    idp_client_secret: 'xxxxxx' # from the web application
    allow_any_authenticated_user: true
    cors_allow_preflight: true
    set_request_headers:
      x-pomerium-idp-id-token: ${pomerium.id_token}
      x-pomerium-idp-access-token: ${pomerium.access_token}
      x-pomerium-client-cert-fingerprint: ${pomerium.client_cert_fingerprint}
    pass_identity_headers: true 

[kenjenkins]

It looks like the authenticate service /sign_out endpoint will check for the URL query parameter pomerium_idp_id to determine which IdP client credentials to use.

However it looks like the proxy service does not populate this query parameter when constructing a sign-out redirect URL:

pomerium/proxy/handlers.go

Lines 71 to 78 in d6221c0

	dashboardURL := state.authenticateDashboardURL.ResolveReference(&url.URL{
	Path: "/.pomerium/sign_out",
	})
	q := dashboardURL.Query()
	if redirectURL != nil {
	q.Set(urlutil.QueryRedirectURI, redirectURL.String())
	}
	dashboardURL.RawQuery = q.Encode()

[kenjenkins]

I think there's a more fundamental problem with the authenticate service sign-out flow: if I understand correctly the authenticate service stores only the single most recent Pomerium session token in its _pomerium_authenticate cookie. If a user attempts to sign out from a route with a different active session, I think the authenticate service may revoke the wrong OAuth2 token.

As an example, say we have an A route (a.example.com) and a B route (b.example.com), and we also have an IdP client A for the A route and an IdP client B for the B route. In the following scenario:

1. User navigates to a.example.com and signs in there. (Call this session 1.)
2. User then navigates to b.example.com. The user's session from the A route was for a different IdP client, so the user again needs to sign in. (Call this session 2.)
3. Now if the user navigates to a.example.com/.pomerium/sign-out, after redirecting to the authenticate service, the authenticate service will revoke the OAuth2 token from session 2, rather than from session 1.