fix: OIDC/SAML logout, empty-target queries/carves, carve bulk actions, envless login#842
Merged
javuto merged 4 commits intoMay 21, 2026
Merged
Conversation
The OIDC callback set the id_token cookie with Path=/api/v1/auth/ but the logout endpoint lives at /api/v1/logout — outside that scope. The browser never sent the cookie on logout requests, so the handler couldn't identify OIDC sessions and skipped the IdP end-session redirect. Widen to /api/v1/ which covers both paths.
Add SAML_LOGOUT_URL flag so the logout handler can return an IdP session-termination URL for SAML users. The SPA navigates to it with Auth0-style `returnTo` + `client_id` params (vs OIDC's `post_logout_redirect_uri`), killing the IdP session and preventing silent re-auth on the next SSO click. Also adds docs/auth-providers.md covering OIDC and SAML configuration for Keycloak, Auth0, Okta, and Entra ID — including the non-obvious gotchas (Auth0 HS256 default, attribute namespace differences, groups claim setup).
…fied + add carve bulk actions
CreateQueryCarve() returned an empty node list when all target lists were empty,
silently creating queries/carves that targeted zero nodes. Now defaults to all
active nodes in the environment — matching the SPA's stated behavior ("the query
will fire against all nodes in this env"). Also adds delete/expire/complete bulk
actions to the carves list page, mirroring the existing queries list page.
Cherry-picked from pr/envless-login. The /login endpoint now accepts credentials without requiring an environment — it tries all envs the user has access to. The SPA login page drops the environment selector.
alvarofraguas
changed the title
javuto
added
osctrl-api
javuto
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
osctrl_id_tokencookie was scoped to/api/v1/oidc— the logout handler at/api/v1/logoutcouldn't see it, so OIDC sessions fell through to the SAML logout path. Widened cookie path to/.SAML_LOGOUT_URL) so the IdP session is killed too — prevents silent re-login.docs/auth-providers.mdcovering Keycloak, Auth0, Okta, and Entra ID configuration gotchas for both OIDC and SAML.CreateQueryCarve()returned an empty node list when no targeting criteria were specified, silently creating queries/carves that targeted zero nodes. Now defaults to all active nodes in the environment — matching the SPA's stated behavior.POST /api/v1/loginnow accepts credentials without requiring an environment UUID in the path. The SPA login page drops the environment selector — users just enter username and password. The oldPOST /api/v1/login/{env}path remains for backward compatibility.Test plan
POST /api/v1/loginreturns JWT — verified on Kali Docker via both direct API and HTTPS proxyPOST /api/v1/login/{env}still works (backward compat)tsc --noEmit)go build ./cmd/api/ && go build ./cmd/admin/)