Disable Single Logout by default (#126)

timja · web-flow · commit 2d3d5782a602 · 2021-05-09T14:33:23.000+01:00
diff --git a/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java b/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java
@@ -109,6 +109,7 @@ public class AzureSecurityRealm extends SecurityRealm {
     private Secret tenant;
     private int cacheDuration;
     private boolean fromRequest = false;
+    private boolean singleLogout;
     private String azureEnvironmentName = "Azure";
 
     private final Supplier<GraphServiceClient<Request>> cachedAzureClient = Suppliers.memoize(() -> {
@@ -164,6 +165,15 @@ private static OkHttpClient.Builder addProxyToHttpClientIfRequired(OkHttpClient.
     }
 
 
+    public boolean isSingleLogout() {
+        return singleLogout;
+    }
+
+    @DataBoundSetter
+    public void setSingleLogout(boolean singleLogout) {
+        this.singleLogout = singleLogout;
+    }
+
     private final Supplier<JwtConsumer> jwtConsumer = Suppliers.memoize(() ->
             Utils.JwtUtil.jwt(getClientId(), getTenant()));
 
@@ -383,7 +393,11 @@ protected String getPostLogOutUrl2(StaplerRequest req, Authentication auth) {
             AzureCachePool.invalidateBelongingGroupsByOid(oid);
         }
         // Ensure single sign-out
-        return getOAuthService().getLogoutUrl();
+
+        if (singleLogout) {
+            return getOAuthService().getLogoutUrl();
+        }
+        return req.getContextPath() + "/";
     }
 
     @Override
diff --git a/src/main/resources/com/microsoft/jenkins/azuread/AzureSecurityRealm/config.jelly b/src/main/resources/com/microsoft/jenkins/azuread/AzureSecurityRealm/config.jelly
@@ -30,6 +30,10 @@
             <f:checkbox />
         </f:entry>
 
+        <f:entry title="${%Enable Single Logout}" field="singleLogout">
+            <f:checkbox />
+        </f:entry>
+
         <f:entry title="Test user principal name or object id">
             <f:textbox name="testObject" />
         </f:entry>
diff --git a/src/main/resources/com/microsoft/jenkins/azuread/AzureSecurityRealm/help-singleLogout.html b/src/main/resources/com/microsoft/jenkins/azuread/AzureSecurityRealm/help-singleLogout.html
@@ -0,0 +1,10 @@
+<p>
+    Single Logout will sign the user out of all Azure Active Directory sessions and not just Jenkins.
+</p>
+<p>
+    This is a security hardening that some organisations may want to enable, but is a poor user experience.
+</p>
+<p>
+    Users using applications like teams or outlook in the browser will be logged out and won't continue receiving emails
+    and messages.
+</p>
