| | | 1 | | <# |
| | | 2 | | .SYNOPSIS |
| | | 3 | | Signs out the current user by removing their authentication cookie for the given scheme. |
| | | 4 | | .DESCRIPTION |
| | | 5 | | Wraps SignOutAsync on the current HTTP context to remove a cookie-based session. |
| | | 6 | | Designed for use inside Kestrun route script blocks where $Context is available. |
| | | 7 | | |
| | | 8 | | For OIDC logout, use -OidcScheme to sign out from both the cookie and OIDC provider. |
| | | 9 | | This will redirect to the OIDC provider's logout endpoint automatically. |
| | | 10 | | .PARAMETER Scheme |
| | | 11 | | Authentication scheme to use (default 'Cookies'). |
| | | 12 | | .PARAMETER AuthKind |
| | | 13 | | Authentication kind: 'Cookies' (default), 'OAuth2', or 'Oidc'. |
| | | 14 | | Use 'OAuth2' to sign out from both Cookies and OAuth2 schemes. |
| | | 15 | | Use 'Oidc' to sign out from both Cookies and OIDC schemes (triggers redirect to IdP logout). |
| | | 16 | | .PARAMETER Redirect |
| | | 17 | | If specified, redirects the user to the login path after signing out. |
| | | 18 | | If the login path is not configured, redirects to '/'. |
| | | 19 | | NOTE: This is ignored when OidcScheme is used, as the OIDC handler manages the redirect. |
| | | 20 | | .PARAMETER RedirectUri |
| | | 21 | | URI to redirect to after OIDC logout completes (default '/'). |
| | | 22 | | Only used when OidcScheme is specified. |
| | | 23 | | .PARAMETER Properties |
| | | 24 | | Additional sign-out authentication properties to pass to the SignOut call. |
| | | 25 | | .PARAMETER WhatIf |
| | | 26 | | Shows what would happen if the command runs. The command is not run. |
| | | 27 | | .PARAMETER Confirm |
| | | 28 | | Prompts you for confirmation before running the command. The command is not run unless you respond |
| | | 29 | | affirmatively. |
| | | 30 | | .EXAMPLE |
| | | 31 | | Invoke-KrCookieSignOut # Signs out the current user from the default 'Cookies' scheme. |
| | | 32 | | .EXAMPLE |
| | | 33 | | Invoke-KrCookieSignOut -Scheme 'MyCookieScheme' # Signs out the current user from the specified scheme. |
| | | 34 | | .EXAMPLE |
| | | 35 | | Invoke-KrCookieSignOut -OidcScheme 'oidc' -RedirectUri '/' # Signs out from both Cookies and OIDC, redirects to roo |
| | | 36 | | .OUTPUTS |
| | | 37 | | None |
| | | 38 | | #> |
| | | 39 | | function Invoke-KrCookieSignOut { |
| | | 40 | | [KestrunRuntimeApi('Route')] |
| | | 41 | | [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Low', DefaultParameterSetName = 'SimpleIdentity')] |
| | | 42 | | [OutputType([void])] |
| | | 43 | | param( |
| | | 44 | | [Parameter()] |
| | | 45 | | [string]$Scheme = 'Cookies', |
| | | 46 | | |
| | | 47 | | [Parameter()] |
| | | 48 | | [ValidateSet('OAuth2', 'Oidc', 'Cookies')] |
| | | 49 | | [string]$AuthKind = 'Cookies', |
| | | 50 | | |
| | | 51 | | [switch]$Redirect, |
| | | 52 | | |
| | | 53 | | [Parameter()] |
| | | 54 | | [string]$RedirectUri = '/', |
| | | 55 | | |
| | | 56 | | [hashtable]$Properties |
| | | 57 | | ) |
| | | 58 | | # Only works inside a route script block where $Context is available |
| | 0 | 59 | | if ($null -ne $Context -and $null -ne $KrServer) { |
| | 0 | 60 | | if ($PSCmdlet.ShouldProcess($Scheme, 'SignOut')) { |
| | | 61 | | |
| | 0 | 62 | | switch ($AuthKind) { |
| | | 63 | | 'OAuth2' { |
| | | 64 | | # OAuth2 logout requires special handling |
| | 0 | 65 | | Write-KrLog -Level Information -Message 'Signing out from Cookie and OAuth2 ({oauth2Scheme}) schemes |
| | 0 | 66 | | $cookieSchemeName = $KrServer.RegisteredAuthentications.ResolveAuthenticationSchemeName($Scheme, $Au |
| | 0 | 67 | | Write-KrLog -Level Debug -Message 'Resolved Cookie scheme name: {scheme}' -Values $cookieSchemeName |
| | | 68 | | |
| | | 69 | | # Sign out from Cookie |
| | 0 | 70 | | $oidcProperties = [Microsoft.AspNetCore.Authentication.AuthenticationProperties]::new() |
| | 0 | 71 | | if (-not [string]::IsNullOrEmpty($RedirectUri) ) { |
| | 0 | 72 | | $oidcProperties.RedirectUri = $RedirectUri |
| | | 73 | | } |
| | 0 | 74 | | $Context.SignOut($cookieSchemeName, $oidcProperties) | Out-Null |
| | | 75 | | |
| | 0 | 76 | | Write-KrLog -Level Information -Message 'OAuth2 logout initiated, OAuth2 handler will redirect to Id |
| | | 77 | | return |
| | | 78 | | } |
| | | 79 | | 'Oidc' { |
| | | 80 | | |
| | | 81 | | # OIDC logout requires special handling |
| | 0 | 82 | | Write-KrLog -Level Information -Message 'Signing out from Cookie ({cookieScheme}) and OIDC ({oidcSch |
| | 0 | 83 | | $schemeName = $KrServer.RegisteredAuthentications.ResolveAuthenticationSchemeName($Scheme, $AuthKind |
| | 0 | 84 | | Write-KrLog -Level Debug -Message 'Resolved OIDC scheme name: {scheme}' -Values $schemeName |
| | | 85 | | |
| | 0 | 86 | | $Context.SignOut($schemeName) | Out-Null |
| | 0 | 87 | | $oidcProperties = [Microsoft.AspNetCore.Authentication.AuthenticationProperties]::new() |
| | 0 | 88 | | if (-not [string]::IsNullOrEmpty($RedirectUri)) { |
| | 0 | 89 | | $oidcProperties.RedirectUri = $RedirectUri |
| | | 90 | | } |
| | 0 | 91 | | $Context.SignOut($Scheme, $oidcProperties) | Out-Null |
| | | 92 | | |
| | 0 | 93 | | Write-KrLog -Level Information -Message 'OIDC logout initiated, OIDC handler will redirect to IdP lo |
| | | 94 | | return |
| | | 95 | | } |
| | | 96 | | 'Cookies' { |
| | 0 | 97 | | Write-KrLog -Level Information -Message 'Signing out from Cookie scheme: {scheme}' -Values $Scheme |
| | | 98 | | |
| | | 99 | | # Standard cookie-only logout |
| | 0 | 100 | | if ($Context.User -and $Context.User.Identity.IsAuthenticated) { |
| | 0 | 101 | | $Context.SignOut($Scheme, $Properties) |
| | | 102 | | } |
| | | 103 | | |
| | 0 | 104 | | if ($Redirect) { |
| | 0 | 105 | | $cookiesAuth = $null |
| | 0 | 106 | | if ($KrServer.RegisteredAuthentications.Exists($Scheme, 'Cookie')) { |
| | 0 | 107 | | $cookiesAuth = $KrServer.RegisteredAuthentications.Get($Scheme, 'Cookie') |
| | | 108 | | } else { |
| | 0 | 109 | | Write-KrLog -Level Warning -Message 'Authentication scheme {scheme} not found in registered |
| | 0 | 110 | | Write-KrErrorResponse -Message "Authentication scheme '$Scheme' not found." -StatusCode 400 |
| | | 111 | | return |
| | | 112 | | } |
| | 0 | 113 | | Write-KrLog -Level Information -Message 'User {@user} signed out from {scheme} authentication.' |
| | | 114 | | # Redirect to login path or root |
| | | 115 | | |
| | 0 | 116 | | if ($null -ne $cookiesAuth -and $cookiesAuth.LoginPath -and $cookiesAuth.LoginPath.ToString().Tr |
| | 0 | 117 | | $url = $cookiesAuth.LoginPath |
| | | 118 | | } else { |
| | 0 | 119 | | $url = '/' |
| | | 120 | | } |
| | 0 | 121 | | Write-KrLog -Level Information -Message 'Redirecting {user} after logout to {path}' -Values $Con |
| | 0 | 122 | | Write-KrRedirectResponse -Url $url |
| | | 123 | | } |
| | | 124 | | } |
| | | 125 | | } |
| | | 126 | | } |
| | | 127 | | } else { |
| | 0 | 128 | | Write-KrOutsideRouteWarning |
| | | 129 | | } |
| | | 130 | | } |