End keycloak session if user is not authorized (#334)

Author: calvinlu3

src/main/java/org/mskcc/oncokb/curation/security/CustomOAuthSuccessHandler.java

@@ -77,9 +77,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
             SecurityContextHolder.getContext().setAuthentication(authenticationWithAuthorities);
             super.onAuthenticationSuccess(request, response, authenticationWithAuthorities);
         } else {
-            request.getSession().invalidate();
-            SecurityContextHolder.clearContext();
-            redirectStrategy.sendRedirect(request, response, "/logout");
+            redirectStrategy.sendRedirect(request, response, "/logout?unauthorized=true");
         }
 
         clearAuthenticationAttributes(request);

src/main/java/org/mskcc/oncokb/curation/security/SecurityUtils.java

@@ -9,7 +9,10 @@
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 
@@ -117,4 +120,20 @@ private static Collection<String> getRolesFromClaims(Map<String, Object> claims)
     private static List<GrantedAuthority> mapRolesToGrantedAuthorities(Collection<String> roles) {
         return roles.stream().filter(role -> role.startsWith("ROLE_")).map(SimpleGrantedAuthority::new).collect(Collectors.toList());
     }
+
+    public static String getKeycloakLogoutURL(ClientRegistration clientRegistration) {
+        StringBuilder logoutUrl = new StringBuilder();
+
+        // Get keycloak logout endpoint (host/auth/realms/<my_realm>/protocol/openid-connect/logout)
+        logoutUrl.append(clientRegistration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint").toString());
+
+        // Get id token
+        OAuth2AuthenticationToken auth = (OAuth2AuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
+        OidcUser oAuth2User = (OidcUser) auth.getPrincipal();
+        String idTokenHint = oAuth2User.getIdToken().getTokenValue();
+
+        logoutUrl.append("?id_token_hint=").append(idTokenHint);
+
+        return logoutUrl.toString();
+    }
 }

src/main/java/org/mskcc/oncokb/curation/web/rest/LogoutResource.java

@@ -2,6 +2,7 @@
 
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
+import org.mskcc.oncokb.curation.security.SecurityUtils;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -33,22 +34,9 @@ public LogoutResource(ClientRegistrationRepository registrations) {
      */
     @PostMapping("/api/logout")
     public ResponseEntity<?> logout(HttpServletRequest request) {
-        StringBuilder logoutUrl = new StringBuilder();
-
-        // Get keycloak logout endpoint (host/auth/realms/<my_realm>/protocol/openid-connect/logout)
-        logoutUrl.append(this.registration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint").toString());
-
-        String originUrl = request.getHeader(HttpHeaders.ORIGIN);
-
-        OAuth2AuthenticationToken auth = (OAuth2AuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
-        OidcUser oAuth2User = (OidcUser) auth.getPrincipal();
-        String idTokenHint = oAuth2User.getIdToken().getTokenValue();
-
-        // After logout redirect to home page
-        logoutUrl.append("?post_logout_redirect_uri=").append(originUrl);
-        logoutUrl.append("&id_token_hint=").append(idTokenHint);
-
+        String logoutUrl = SecurityUtils.getKeycloakLogoutURL(this.registration);
         request.getSession().invalidate();
-        return ResponseEntity.ok().body(Map.of("logoutUrl", logoutUrl.toString()));
+        SecurityContextHolder.clearContext();
+        return ResponseEntity.ok().body(Map.of("logoutUrl", logoutUrl));
     }
 }

src/main/webapp/app/config/constants/constants.ts

@@ -420,3 +420,7 @@ export const DEFAULT_TOAST_ERROR_OPTIONS: ToastOptions = {
   draggable: false,
   closeOnClick: false,
 };
+
+export const KEYCLOAK_LOGOUT_REDIRECT_PARAM = 'post_logout_redirect_uri';
+export const KEYCLOAK_SESSION_TERMINATED_PARAM = 'session_terminated';
+export const KEYCLOAK_UNAUTHORIZED_PARAM = 'unauthorized';

src/main/webapp/app/pages/login/logout.tsx

@@ -1,40 +1,92 @@
-import React from 'react';
-import { componentInject } from 'app/shared/util/typed-inject';
+import React, { useEffect } from 'react';
+import { connect } from 'app/shared/util/typed-inject';
 import { IRootStore } from 'app/stores';
-import { observer } from 'mobx-react';
-import { Row } from 'reactstrap';
+import { Link, RouteComponentProps } from 'react-router-dom';
+import {
+  KEYCLOAK_LOGOUT_REDIRECT_PARAM,
+  KEYCLOAK_SESSION_TERMINATED_PARAM,
+  KEYCLOAK_UNAUTHORIZED_PARAM,
+  PAGE_ROUTE,
+} from 'app/config/constants/constants';
+import { setUrlParams } from 'app/shared/util/url-utils';
 
-export interface ILogoutProps extends StoreProps {
+function getKeycloakLogoutUrl(baseLogoutUrl: string) {
+  const redirectUrl = setUrlParams(window.location.href, { [KEYCLOAK_SESSION_TERMINATED_PARAM]: true });
+  // Encoding URI will allow us to include multiple search params in redirect uri param
+  const keyCloakLogoutUrl = setUrlParams(baseLogoutUrl, { [KEYCLOAK_LOGOUT_REDIRECT_PARAM]: redirectUrl });
+  return keyCloakLogoutUrl;
+}
+
+export interface ILogoutProps extends StoreProps, RouteComponentProps {
   logoutUrl: string;
 }
 
-class Logout extends React.Component<ILogoutProps> {
-  constructor(props: ILogoutProps) {
-    super(props);
-  }
+export const Logout = (props: ILogoutProps) => {
+  const searchParams = new URLSearchParams(props.location.search);
 
-  componentDidMount() {
-    this.props.logout();
-  }
+  const sessionTerminated = !!searchParams.get(KEYCLOAK_SESSION_TERMINATED_PARAM);
+  const unauthorizedAccess = !!searchParams.get(KEYCLOAK_UNAUTHORIZED_PARAM);
+
+  useEffect(() => {
+    if (unauthorizedAccess && !sessionTerminated) {
+      props.logout();
+    } else if (!sessionTerminated) {
+      props.logout();
+    }
+  }, [unauthorizedAccess, sessionTerminated]);
 
-  render() {
-    if (this.props.logoutUrl) {
-      window.location.href = this.props.logoutUrl;
+  useEffect(() => {
+    if (props.logoutUrl) {
+      if (!sessionTerminated || unauthorizedAccess) {
+        window.location.href = getKeycloakLogoutUrl(props.logoutUrl);
+      }
     }
+  }, [props.logoutUrl, sessionTerminated, unauthorizedAccess]);
 
-    return (
-      <Row className="justify-content-center">
-        <h4>Logged out.</h4>
-      </Row>
-    );
+  if (!sessionTerminated) {
+    return <></>;
   }
-}
+
+  if (unauthorizedAccess) {
+    return <></>;
+  }
+
+  const unauthorizedAccessContent = (
+    <>
+      <h3 className="card-title mb-4">Logged out!</h3>
+      <div className="card-text alert alert-danger" role="alert">
+        You are not authorized to access this website. If you think this is an error, please reach out to OncoKB Dev team.
+      </div>
+    </>
+  );
+
+  const loggedOutContent = (
+    <>
+      <h3 className="card-title mb-4">Logged out successfully!</h3>
+    </>
+  );
+
+  return (
+    <div className="d-flex justify-content-center">
+      <div className="card" style={{ width: '40rem' }}>
+        <div className="card-body">
+          {unauthorizedAccess ? unauthorizedAccessContent : loggedOutContent}
+          <p className="card-text">Please click on &apos;Sign in&apos; to be directed to the login page.</p>
+          <Link to={PAGE_ROUTE.LOGIN} className="btn btn-primary">
+            Sign in
+          </Link>
+        </div>
+      </div>
+    </div>
+  );
+};
 
 const mapStoreToProps = (storeState: IRootStore) => ({
+  isAuthenticated: storeState.authStore.isAuthenticated,
   logoutUrl: storeState.authStore.logoutUrl,
   logout: storeState.authStore.logout,
 });
 
 type StoreProps = ReturnType<typeof mapStoreToProps>;
 
-export default componentInject(mapStoreToProps)(observer(Logout));
+export default connect(mapStoreToProps)(Logout);

src/main/webapp/app/shared/util/url-utils.ts

@@ -23,3 +23,12 @@ export const replaceUrlParams = (url: string, ...params: (string | number)[]) =>
 
   return url;
 };
+
+export const setUrlParams = (urlString: string, params: Record<string, any>) => {
+  const url = new URL(urlString);
+  for (const [key, value] of Object.entries(params)) {
+    // Set will override the param if it already exists in the URL
+    url.searchParams.set(key, value);
+  }
+  return url.toString();
+};