Feature - Custom signout URL params

README.md

@@ -40,6 +40,22 @@ $CONFIG = array (
     // provider will redirect back to 'oidc_login_logout_url' (MUST be set).
     'oidc_login_end_session_redirect' => false,
 
+    // List of URL parameters to be passed to the OIDC provider's logout URL.
+    //
+    // Default parameters:
+    //   - 'id_token_hint'
+    //   - 'post_logout_redirect_uri' (it will be the value defined in 'oidc_login_logout_url').
+    //
+    // Other parameters available:
+    //   - 'client_id' (it will be the value defined in 'oidc_login_client_id')
+    //   - 'logout_uri' (it will be the value defined in 'oidc_login_logout_url').
+    //
+    // The value of 'oidc_login_end_session_redirect' MUST be true.
+    'oidc_login_logout_params' => array(
+        0 => 'id_token_hint',
+        1 => 'post_logout_redirect_uri',
+    ),
+
     // Quota to assign if no quota is specified in the OIDC response (bytes)
     //
     // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
@@ -231,8 +247,8 @@ $CONFIG = array (
 1. Create a new Client for Nextcloud in a Keycloak Realm of your choosing.
     1. Set a `Client ID` and save.
     2. Set `Access type` to `confidential`
-	3. Add a `Valid Redirect URI` e.g. `https://cloud.example.com/*`.
-	4. Open the `Fine Grain OpenID Connect Configuration` dropdown and set `ID Token Signature Algorithm` to `RS256` and save.
+    3. Add a `Valid Redirect URI` e.g. `https://cloud.example.com/*`.
+    4. Open the `Fine Grain OpenID Connect Configuration` dropdown and set `ID Token Signature Algorithm` to `RS256` and save.
 
 2. Open your created Client and go to `Mappers`. (optional)
     1. Click `create` and set `Mapper Type` to `User Attribute`.
@@ -296,4 +312,43 @@ The login filter feature allows to allow/deny access to nextcloud to users based
 
 The login filter feature will replace the deprecated `oidc_login_allowed_groups`, as this was limited to using groups for access control. If you want to use a group as login filter you can still achieve the same by setting `login_filter` to your groups claim and setting a corresponding `oidc_login_filter_allowed_values`.
 
+### Usage with [AWS Cognito](https://aws.amazon.com/pm/cognito/)
+1. Create a new `App client` for Nextcloud in a Cognito `User pool` of your choosing.
+    1. Set `Application type` to `Traditional web application`.
+    2. Set `Name your application` to a valid name.
+    3. Set `Add a return URL` to `https://cloud.example.com/apps/oidc_login/oidc`.
+    4. Click `Create app client`.
+
+2. Set the allowed logout URL and OpenID Connect scopes.
+    1. In the `App client` that was just created, go to the `Login pages` tab and click `Edit`.
+    2. In the `Allowed sign-out URLs` section, click on `Add sign-out URL` and put the same URL defined in `Allowed callback URLs`.
+    3. In `OpenID Connect scopes` add the `Profile` scope.
+    4. Click `Save changes`.
+
+3. Assign a `Style` to the `App client` if you are using `Managed login`.
+    1. In the `Branding` -> `Managed login` menu, click `Create a style`.
+    2. Select the `App client` that was just created and click `Create`.
+    3. (optional) Edit the style if you want.
+
+4. Necessary `config.php` settings
+```php
+  'oidc_login_provider_url' => 'https://cognito-idp.YOUR-AWS-REGION.amazonaws.com/YOUR-USER-POOL-ID/',
+  'oidc_login_client_id' => 'client_id', // Client ID generated by Cognito in your App client
+  'oidc_login_client_secret' => 'secret', // Client secret generated by Cognito in your App client
+  'oidc_login_attributes' => 
+  array (
+    'id' => 'username', // https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-usernames
+  ),
+  'oidc_login_logout_url' => 'https://cloud.example.com/apps/oidc_login/oidc',
+  'oidc_login_end_session_redirect' => true,
+  'oidc_login_logout_params' => // https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
+  array (
+    0 => 'client_id',
+    1 => 'logout_uri',
+  ),
+```
 
+5. (optional) Enable the [PKCE flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce) by setting the appropriate configuration value accordingly:
+```php
+'oidc_login_code_challenge_method' => 'S256',
+```

lib/Provider/OpenIDConnectClient.php

@@ -206,9 +206,36 @@ public function getEndSessionUrl(string $post_logout_redirect_uri): string
                                  .'Set "oidc_login_end_session_redirect" => false in Nextcloud config.');
         }
 
-        $signout_params = [
-            'id_token_hint' => $id_token_hint,
-            'post_logout_redirect_uri' => $post_logout_redirect_uri, ];
+        // Default logout params
+        $signout_params = compact('id_token_hint', 'post_logout_redirect_uri');
+
+        // Custom logout params
+        $custom_params = $this->config->getSystemValue('oidc_login_logout_params', null);
+        if (!empty($custom_params) && array_is_list($custom_params)) {
+            // Additional parameters available
+            $client_id = $this->config->getSystemValue('oidc_login_client_id');
+            $logout_uri = $post_logout_redirect_uri;
+
+            // Validate custom parameters
+            $valid_params = [];
+            foreach ($custom_params as $param) {
+                if (isset($$param)) {
+                    $valid_params[] = $param;
+                } else {
+                    \OC::$server->get(\Psr\Log\LoggerInterface::class)->warning(
+                        'Error when readind custom logout param "' . $param . '"',
+                        ['app' => $this->appName]
+                    );
+                    break;
+                    $valid_params = [];
+                }
+            }
+
+            if (!empty($valid_params)) {
+                $signout_params = compact(...$valid_params);
+            }
+        }
+
         $end_session_endpoint .= (false === strpos($end_session_endpoint, '?') ? '?' : '&').http_build_query($signout_params);
 
         return $end_session_endpoint;