Run setup phase before logout

[robbevp]

This PR allows a dynamic post logout redirect uri, using the setup from omniauth

Why

I have an application where the redirect_uri for the logout depends on the request (one strategy is applied for multiple (sub)domains that each have their own keys and their own redirect_uri and post_logout_redirect_uri).

I naively assumed that the following would work (simplified for clarity)

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :openid_connect, {
    name: :openid_connect,
     ...
    setup: proc { |env|
      request = Rack::Request.new(env)
   
      env['omniauth.strategy'].options[:client_options].merge!({
        ...
      })
      env['omniauth.strategy'].options[:post_logout_redirect_uri] = "#{request.base_url}/sessions/sign_out"
    }
  }
end

However I discovered that the setup phase does not get called on logout.

Solution

If the request is a logout request, I mimicked the way OmniAuth::Strategy runs the setup when the request is a request or callback. I imagine it doesn't make sense for OmniAuth::Strategy to do this before other_phase since that would mean running the setup before every request in the application. This makes that the config above would work (I also validated this in my actual application using this version)

I also considered changing post_logout_redirect_uri to accept a string or a proc. I found it more intuitive that we would re-use the setup, but I'm happy to still switch this around. The initializer for my example would then be:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :openid_connect, {
    name: :openid_connect,
     ...
    post_logout_redirect_uri: proc { |env|
      request = Rack::Request.new(env)
      "#{request.base_url}/sessions/sign_out"
    }
  }
end