[Bug]: spec.oidc.postLogoutRedirect field name and validation inconsistent with OIDC spec

[bj0rn]

Version

edge

What Kubernetes platforms are you running on?

Kind

Steps to reproduce

When configuring spec.oidc.postLogoutRedirect, the CRD validation enforces the regex /[^\s{};\\]*, which only allows values starting with / and rejects absolute URIs. The field name suggests a URI, and according to the OIDC specification post_logout_redirect_uri must be an absolute URI registered with the IdP. The current implementation makes it difficult to redirect to other domains after logout.

The field should accept both relative paths (e.g. /logout) and absolute URIs (e.g. https://example.com/logout).

[github-actions]

Hi @bj0rn thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[haywoodsh]

The restriction to relative path is intended as openid_connect.js and oidc_common.conf providing the OIDC functionality come from the upstream repo nginxinc/nginx-openid-connect

While open_connect.js contains logic to handle absolute URIs:

    function getLogoutRedirectUrl(base, redirect) {
        return redirect.match(/^(http|https):\/\//) ? redirect : base + redirect;
    }

    var logoutRedirectUrl = getLogoutRedirectUrl(r.variables.redirect_base,
                            r.variables.oidc_logout_redirect);

https://github.com/nginx/kubernetes-ingress/blob/main/internal/configs/oidc/openid_connect.js#L282-L287

It was intentionally designed to restrict the base path of logout redirect $redirect_base to the same domain $host though oidc_common.conf

map $http_x_forwarded_port $redirect_base {
    ""      $proto://$host:$server_port;
    default $proto://$host:$http_x_forwarded_port;
}

https://github.com/nginx/kubernetes-ingress/blob/main/internal/configs/oidc/oidc_common.conf#L6-L9

I think it would be necessary to change the logic in the upstream repo nginxinc/nginx-openid-connect to allow absolute URLs in the post-logout redirect.

[pdabelf5]

Can you please request this with the nginxinc/nginx-openid-connect project? Once the changes are implemented we will bring any changes into this project.