Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed RP-Initiated Logout To Accept id_token_hint #829

Merged
merged 3 commits into from
Nov 11, 2022
Merged

Fixed RP-Initiated Logout To Accept id_token_hint #829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
da668f5
fixed rp-initiated logout to accept id token hint
infohash Nov 3, 2022
4dc2c6c
Suppress mypy warnings
schlenk Nov 11, 2022
ef8afa2
Update CHANGELOG.md
schlenk Nov 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,17 @@ The format is based on the [KeepAChangeLog] project.
### Changed
- [#827] Added support for python 3.11

### Fixed
- [#826], [#829] Fixed RP-Initiated Logout To Accept id_token_hint

## Removed

- [#820] Removed Client.grant_from_state method.

[#820]: https://github.com/OpenIDC/pyoidc/pull/820
[#827]: https://github.com/OpenIDC/pyoidc/issues/827
[#826]: https://github.com/OpenIDC/pyoidc/issues/826
[#829]: https://github.com/OpenIDC/pyoidc/pull/829

## 1.4.0 [2022-05-23]

Expand Down
1 change: 1 addition & 0 deletions mypy.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
[mypy]
check_untyped_defs = True
no_implicit_optional = False

[mypy-jwkest.*]
ignore_missing_imports = True
Expand Down
13 changes: 11 additions & 2 deletions src/oic/oic/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -647,7 +647,12 @@ def construct_CheckIDRequest(
)

def construct_EndSessionRequest(
self, request=None, request_args=None, extra_args=None, **kwargs
self,
request=None,
request_args=None,
extra_args=None,
prop="id_token_hint",
**kwargs,
):

if request is None:
Expand All @@ -658,7 +663,9 @@ def construct_EndSessionRequest(
if "state" in request_args and "state" not in kwargs:
kwargs["state"] = request_args["state"]

return self._id_token_based(request, request_args, extra_args, **kwargs)
return self._id_token_based(
request, request_args, extra_args, prop=prop, **kwargs
)

def do_authorization_request(
self,
Expand Down Expand Up @@ -824,6 +831,7 @@ def do_end_session_request(
request_args=None,
extra_args=None,
http_args=None,
prop="id_token_hint",
):
request = self.message_factory.get_request_type("endsession_endpoint")
response_cls = self.message_factory.get_response_type("endsession_endpoint")
Expand All @@ -834,6 +842,7 @@ def do_end_session_request(
extra_args=extra_args,
scope=scope,
state=state,
prop=prop,
)

if http_args is None:
Expand Down
41 changes: 30 additions & 11 deletions tests/test_oic.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,9 +415,10 @@ def test_do_end_session_request(self):
alg = "RS256"
ktyp = alg2keytype(alg)
_sign_key = self.client.keyjar.get_signing_key(ktyp)
id_token_jwt = IDTOKEN.to_jwt(key=_sign_key, algorithm=alg)
args = {
"id_token": IDTOKEN.to_jwt(key=_sign_key, algorithm=alg),
"redirect_url": "http://example.com/end",
"id_token_hint": id_token_jwt,
"post_logout_redirect_uri": "http://example.com/end",
}

with responses.RequestsMock() as rsps:
Expand All @@ -427,10 +428,10 @@ def test_do_end_session_request(self):
status=302,
headers={"location": ""},
)
resp = self.client.do_end_session_request(request_args=args, state="state1")
resp = self.client.do_end_session_request(request_args=args)
parsed = parse_qs(urlparse(resp.request.url).query)
assert parsed["redirect_url"] == ["http://example.com/end"]
assert parsed["id_token"] is not None
assert parsed["post_logout_redirect_uri"] == ["http://example.com/end"]
assert parsed["id_token_hint"] == [id_token_jwt]

def test_do_registration_request(self):
self.client.registration_endpoint = ( # type: ignore
Expand Down Expand Up @@ -681,9 +682,9 @@ def test_construct_EndSessionRequest_kwargs_state(self):
self.client.grant["foo"].tokens.append(Token(resp))

# state only in kwargs
args = {"redirect_url": "http://example.com/end"}
args = {"post_logout_redirect_uri": "http://example.com/end"}
esr = self.client.construct_EndSessionRequest(state="foo", request_args=args)
assert _eq(esr.keys(), ["id_token", "redirect_url"])
assert _eq(esr.keys(), ["id_token_hint", "post_logout_redirect_uri"])

def test_construct_EndSessionRequest_reqargs_state(self):
self.client.grant["foo"] = Grant()
Expand All @@ -708,9 +709,9 @@ def test_construct_EndSessionRequest_reqargs_state(self):
self.client.grant["foo"].tokens.append(Token(resp))

# state only in request_args
args = {"redirect_url": "http://example.com/end", "state": "foo"}
args = {"post_logout_redirect_uri": "http://example.com/end", "state": "foo"}
esr = self.client.construct_EndSessionRequest(request_args=args)
assert _eq(esr.keys(), ["id_token", "state", "redirect_url"])
assert _eq(esr.keys(), ["id_token_hint", "state", "post_logout_redirect_uri"])

def test_construct_EndSessionRequest_kwargs_and_reqargs_state(self):
self.client.grant["foo"] = Grant()
Expand All @@ -734,11 +735,29 @@ def test_construct_EndSessionRequest_kwargs_and_reqargs_state(self):
self.client.grant["foo"].tokens.append(Token(resp))

# state both in request_args and kwargs
args = {"redirect_url": "http://example.com/end", "state": "req_args_state"}
args = {
"post_logout_redirect_uri": "http://example.com/end",
"state": "req_args_state",
}
esr = self.client.construct_EndSessionRequest(state="foo", request_args=args)
assert _eq(esr.keys(), ["id_token", "state", "redirect_url"])
assert _eq(esr.keys(), ["id_token_hint", "state", "post_logout_redirect_uri"])
assert esr["state"] == "req_args_state"

def test_construct_EndSessionRequest_with_id_token_hint_and_post_logout_redirect_uri(
self,
):
"""Should construct end session request using id_token_hint and post_logout_redirect_uri"""
self.client.keyjar.add_kb(IDTOKEN["iss"], KC_SYM_S)
_sig_key = self.client.keyjar.get_signing_key("oct", IDTOKEN["iss"])
_signed_jwt = IDTOKEN.to_jwt(_sig_key, algorithm="HS256")

args = {
"post_logout_redirect_uri": "http://example.com/end",
"id_token_hint": _signed_jwt,
}
esr = self.client.construct_EndSessionRequest(request_args=args)
assert _eq(esr.keys(), ["id_token_hint", "post_logout_redirect_uri"])

def test_construct_OpenIDRequest(self):
request_args = {"response_type": "code id_token", "state": "af0ifjsldkj"}

Expand Down