mtien-apache commented on a change in pull request #4593: URL: https://github.com/apache/nifi/pull/4593#discussion_r504375038
########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java ########## @@ -329,24 +359,221 @@ public Response oidcExchange(@Context HttpServletRequest httpServletRequest, @Co ) public void oidcLogout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { if (!httpServletRequest.isSecure()) { - throw new IllegalStateException("User authentication/authorization is only supported when running over HTTPS."); + throw new IllegalStateException(AUTHENTICATION_NOT_ENABLED_MSG); } if (!oidcService.isOidcEnabled()) { - throw new IllegalStateException("OpenId Connect is not configured."); + throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG); } - URI endSessionEndpoint = oidcService.getEndSessionEndpoint(); - String postLogoutRedirectUri = generateResourceUri("..", "nifi", "logout-complete"); + // Get the oidc discovery url + String oidcDiscoveryUrl = properties.getOidcDiscoveryUrl(); + + // Determine the logout method + String logoutMethod = determineLogoutMethod(oidcDiscoveryUrl); + + switch (logoutMethod) { + case REVOKE_ACCESS_TOKEN_LOGOUT: Review comment: Correct. Both `REVOKE_ACCESS_TOKEN_LOGOUT` and `ID_TOKEN_LOGOUT` make the same request to the ID Provider. But each will use a different component of the response, which will be determined in 'oidc/logoutCallback`. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org