From 65b0bab26dd29b920c609243be6a3e27030aebc0 Mon Sep 17 00:00:00 2001
From: Pedro Juarez <pjuarezd@users.noreply.github.com>
Date: Wed, 13 Sep 2023 15:26:48 -0600
Subject: [PATCH] Load the available CA in logout API (#3044)

---
 restapi/user_logout.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/restapi/user_logout.go b/restapi/user_logout.go
index 3b25dbae4e..5da9613e82 100644
--- a/restapi/user_logout.go
+++ b/restapi/user_logout.go
@@ -18,6 +18,7 @@ package restapi
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
@@ -37,7 +38,7 @@ func registerLogoutHandlers(api *operations.ConsoleAPI) {
 	api.AuthLogoutHandler = authApi.LogoutHandlerFunc(func(params authApi.LogoutParams, session *models.Principal) middleware.Responder {
 		err := getLogoutResponse(session, params)
 		if err != nil {
-			return authApi.NewLogoutDefault(err.Code).WithPayload(err.APIError)
+			api.Logger("IDP logout failed: %v", err.APIError)
 		}
 		// Custom response writer to expire the session cookies
 		return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) {
@@ -101,7 +102,14 @@ func logoutFromIDPProvider(r *http.Request, state string) error {
 		params.Add("client_id", providerCfg.ClientID)
 		params.Add("client_secret", providerCfg.ClientSecret)
 		params.Add("refresh_token", refreshToken.Value)
-		_, err := http.PostForm(providerCfg.EndSessionEndpoint, params)
+		client := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs: GlobalRootCAs,
+				},
+			},
+		}
+		_, err := client.PostForm(providerCfg.EndSessionEndpoint, params)
 		if err != nil {
 			return err
 		}