auth

src/App/Config.php

@@ -21,6 +21,7 @@ class Config
     public string $oidcTokenEndpoint;
     public string $oidcUserinfoEndpoint;
     public string $oidcLogoutEndpoint;
+    public string $oidcPostLogoutRedirectUri;
     public string $oidcGroupClaim;
     public string $oidcAdminGroup;
     public string $oidcUserGroup;
@@ -47,6 +48,7 @@ class Config
         $this->oidcTokenEndpoint = defined('APP_OIDC_TOKEN_ENDPOINT') ? (string)APP_OIDC_TOKEN_ENDPOINT : '';
         $this->oidcUserinfoEndpoint = defined('APP_OIDC_USERINFO_ENDPOINT') ? (string)APP_OIDC_USERINFO_ENDPOINT : '';
         $this->oidcLogoutEndpoint = defined('APP_OIDC_LOGOUT_ENDPOINT') ? (string)APP_OIDC_LOGOUT_ENDPOINT : '';
+        $this->oidcPostLogoutRedirectUri = defined('APP_OIDC_POST_LOGOUT_REDIRECT_URI') ? (string)APP_OIDC_POST_LOGOUT_REDIRECT_URI : '';
         $this->oidcGroupClaim = defined('APP_OIDC_GROUP_CLAIM') ? (string)APP_OIDC_GROUP_CLAIM : 'groups';
         $this->oidcAdminGroup = defined('APP_OIDC_ADMIN_GROUP') ? (string)APP_OIDC_ADMIN_GROUP : 'admin';
         $this->oidcUserGroup = defined('APP_OIDC_USER_GROUP') ? (string)APP_OIDC_USER_GROUP : 'user';

src/App/OidcClient.php

@@ -123,7 +123,9 @@ final class OidcClient
             return null;
         }
         $params = [
-            'post_logout_redirect_uri' => $this->config->oidcRedirectUri ? dirname($this->config->oidcRedirectUri) : '/',
+            'post_logout_redirect_uri' => $this->config->oidcPostLogoutRedirectUri !== ''
+                ? $this->config->oidcPostLogoutRedirectUri
+                : ($this->config->oidcRedirectUri ? dirname($this->config->oidcRedirectUri) : '/'),
         ];
         if ($idToken) {
             $params['id_token_hint'] = $idToken;

src/App/functions.php

@@ -80,21 +80,50 @@ function auth_groups(): array
     return is_array($user['groups'] ?? null) ? $user['groups'] : [];
 }
 
+function parse_group_list(string $value): array
+{
+    $parts = preg_split('/[,\s]+/', $value) ?: [];
+    $out = [];
+    foreach ($parts as $p) {
+        $p = trim($p);
+        if ($p !== '') {
+            $out[] = $p;
+        }
+    }
+    return $out;
+}
+
 function auth_is_admin(): bool
 {
     $config = app()->config();
     $groups = auth_groups();
-    return in_array($config->oidcAdminGroup, $groups, true);
+    $allowed = parse_group_list($config->oidcAdminGroup);
+    foreach ($allowed as $g) {
+        if (in_array($g, $groups, true)) {
+            return true;
+        }
+    }
+    return false;
 }
 
 function auth_is_user(): bool
 {
     $config = app()->config();
     $groups = auth_groups();
-    if (in_array($config->oidcAdminGroup, $groups, true)) {
-        return true;
+    $admins = parse_group_list($config->oidcAdminGroup);
+    foreach ($admins as $g) {
+        if (in_array($g, $groups, true)) {
+            return true;
+        }
     }
-    return in_array($config->oidcUserGroup, $groups, true);
+
+    $users = parse_group_list($config->oidcUserGroup);
+    foreach ($users as $g) {
+        if (in_array($g, $groups, true)) {
+            return true;
+        }
+    }
+    return false;
 }
 
 function require_auth(): void