Logout hook plugin

auth/handlers.go

@@ -48,6 +48,7 @@
 // PreRedirectHookError is the error interface which allows the user to set correct http status code and Message to be set in case the function returns an error
 // without which the current usage in GetCallbackHandler will set this to InternalServerError
 type PreRedirectHookFunc func(ctx context.Context, authCtx interfaces.AuthenticationContext, request *http.Request, w http.ResponseWriter) *PreRedirectHookError
+type LogoutHookFunc func(ctx context.Context, authCtx interfaces.AuthenticationContext, request *http.Request, w http.ResponseWriter) error
 type HTTPRequestToMetadataAnnotator func(ctx context.Context, request *http.Request) metadata.MD
 type UserInfoForwardResponseHandler func(ctx context.Context, w http.ResponseWriter, m protoiface.MessageV1) error
 
@@ -68,7 +69,7 @@
 	handler.HandleFunc(fmt.Sprintf("/%s", OIdCMetadataEndpoint), GetOIdCMetadataEndpointRedirectHandler(ctx, authCtx))
 
 	// These endpoints require authentication
-	handler.HandleFunc("/logout", GetLogoutEndpointHandler(ctx, authCtx))
+	handler.HandleFunc("/logout", GetLogoutEndpointHandler(ctx, authCtx, pluginRegistry))
 }
 
 // Look for access token and refresh token, if both are present and the access token is expired, then attempt to
@@ -466,9 +467,19 @@
 	}
 }
 
-func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc {
+func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext, pluginRegistry *plugins.Registry) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
-		logger.Debugf(ctx, "Deleting auth cookies")
+		hook := plugins.Get[LogoutHookFunc](pluginRegistry, plugins.PluginIDLogoutHook)
+		if hook != nil {
+			if err := hook(ctx, authCtx, request, writer); err != nil {
+				logger.Errorf(ctx, "logout hook failed: %v", err)
+				writer.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			logger.Debugf(ctx, "logout hook called")
+		}
+
+		logger.Debugf(ctx, "deleting auth cookies")
 		authCtx.CookieManager().DeleteCookies(ctx, writer)
 
 		// Redirect if one was given

plugins/registry.go

@@ -13,6 +13,7 @@ const (
 	PluginIDDataProxy              PluginID = "DataProxy"
 	PluginIDUnaryServiceMiddleware PluginID = "UnaryServiceMiddleware"
 	PluginIDPreRedirectHook        PluginID = "PreRedirectHook"
+	PluginIDLogoutHook             PluginID = "LogoutHook"
 )
 
 type AtomicRegistry struct {

plugins/registry_test.go

@@ -41,6 +41,26 @@ func TestRedirectHook(t *testing.T) {
 	assert.Equal(t, fmt.Errorf("redirect hook error"), err)
 }
 
+type LogoutHook func(context.Context) error
+
+func TestLogoutHook(t *testing.T) {
+	ar := NewAtomicRegistry(nil)
+	r := NewRegistry()
+
+	hook := LogoutHook(func(ctx context.Context) error {
+		return fmt.Errorf("redirect hook error")
+	})
+	err := r.Register(PluginIDLogoutHook, hook)
+	assert.NoError(t, err)
+
+	ar.Store(r)
+	r = ar.Load()
+	fn := Get[LogoutHook](r, PluginIDLogoutHook)
+	err = fn(context.Background())
+
+	assert.Equal(t, fmt.Errorf("redirect hook error"), err)
+}
+
 func TestRegistry_RegisterDefault(t *testing.T) {
 	r := NewRegistry()
 	r.RegisterDefault("hello", 5)