Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add non-HTTP schema logout redirect fixes #273 #333

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add non-HTTP schema logout redirect
  • Loading branch information
meteozond committed Jul 17, 2019

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit a8283204c1f0d6fe693b436703c8ee81d1a74b44
1 change: 1 addition & 0 deletions oidc_provider/lib/utils/common.py
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@ def redirect(uri):
Custom Response object for redirecting to a Non-HTTP url scheme.
"""
response = HttpResponse('', status=302)
response.url = uri # TestCase.assertRedirects compatibility
response['Location'] = uri
return response

29 changes: 23 additions & 6 deletions oidc_provider/tests/cases/test_end_session_endpoint.py
Original file line number Diff line number Diff line change
@@ -28,15 +28,17 @@ def setUp(self):
self.user = create_fake_user()

self.oidc_client = create_fake_client('id_token')
self.LOGOUT_URL = 'http://example.com/logged-out/'
self.oidc_client.post_logout_redirect_uris = [self.LOGOUT_URL]
self.WEB_LOGOUT_URL = 'http://example.com/logged-out/'
self.APP_LOGOUT_URL = 'example-app://logged-out/'
self.oidc_client.post_logout_redirect_uris = [
self.WEB_LOGOUT_URL, self.APP_LOGOUT_URL]
self.oidc_client.save()

self.url = reverse('oidc_provider:end-session')

def test_redirects_when_aud_is_str(self):
query_params = {
'post_logout_redirect_uri': self.LOGOUT_URL,
'post_logout_redirect_uri': self.WEB_LOGOUT_URL,
}
response = self.client.get(self.url, query_params)
# With no id_token the OP MUST NOT redirect to the requested
@@ -54,12 +56,12 @@ def test_redirects_when_aud_is_str(self):

response = self.client.get(self.url, query_params)
self.assertRedirects(
response, self.LOGOUT_URL, fetch_redirect_response=False)
response, self.WEB_LOGOUT_URL, fetch_redirect_response=False)

def test_redirects_when_aud_is_list(self):
"""Check with 'aud' containing a list of str."""
query_params = {
'post_logout_redirect_uri': self.LOGOUT_URL,
'post_logout_redirect_uri': self.WEB_LOGOUT_URL,
}
token = create_token(self.user, self.oidc_client, [])
id_token_dic = create_id_token(
@@ -69,7 +71,7 @@ def test_redirects_when_aud_is_list(self):
query_params['id_token_hint'] = id_token
response = self.client.get(self.url, query_params)
self.assertRedirects(
response, self.LOGOUT_URL, fetch_redirect_response=False)
response, self.WEB_LOGOUT_URL, fetch_redirect_response=False)

@mock.patch(settings.get('OIDC_AFTER_END_SESSION_HOOK'))
def test_call_post_end_session_hook(self, hook_function):
@@ -78,3 +80,18 @@ def test_call_post_end_session_hook(self, hook_function):
self.assertTrue(
hook_function.call_count == 1,
'OIDC_AFTER_END_SESSION_HOOK should be called once')

def test_redirects_to_app(self):
query_params = {
'post_logout_redirect_uri': self.APP_LOGOUT_URL,
}
token = create_token(self.user, self.oidc_client, [])
id_token_dic = create_id_token(
token=token, user=self.user, aud=self.oidc_client.client_id)
id_token_dic['aud'] = [id_token_dic['aud']]
id_token = encode_id_token(id_token_dic, self.oidc_client)
query_params['id_token_hint'] = id_token
response = self.client.get(self.url, query_params,
fetch_redirect_response=False)
self.assertRedirects(
response, self.APP_LOGOUT_URL, fetch_redirect_response=False)
8 changes: 8 additions & 0 deletions oidc_provider/views.py
Original file line number Diff line number Diff line change
@@ -26,6 +26,7 @@
from django.views.decorators.clickjacking import xframe_options_exempt
from django.views.decorators.http import require_http_methods
from django.views.generic import View
from django.contrib.auth import logout as auth_logout
from jwkest import long_to_base64

from oidc_provider.compat import get_attr_or_callable
@@ -349,6 +350,13 @@ def dispatch(self, request, *args, **kwargs):
)

self.next_page = next_page

# Rewrite LogoutView.dispatch to allowing Non-HTTP url scheme redirect
auth_logout(request)
next_page = self.get_next_page()
if next_page:
return redirect(next_page)

return super(EndSessionView, self).dispatch(request, *args, **kwargs)