diff options
author | Frédéric Mangano-Tarumi <fmang@mg0.fr> | 2020-07-14 15:35:24 +0200 |
---|---|---|
committer | Lukas Fleischer <lfleischer@archlinux.org> | 2021-02-20 17:24:30 +0100 |
commit | 357dba87b3ee784a4201a7bb56befb105b81bbf5 (patch) | |
tree | 4b0ee555108107ad3eed1ea12f4519ea906c674a /aurweb/routers/sso.py | |
parent | 4d0f2d2279ed9fcdf6bb76015ac0da9c6e938d69 (diff) | |
download | aur-357dba87b3ee784a4201a7bb56befb105b81bbf5.tar.gz aur-357dba87b3ee784a4201a7bb56befb105b81bbf5.tar.xz |
Save id_token for the SSO logout
As far as I can see, Keycloak ignores it entirely. I can login in as SSO
user A, then disconnect from the SSO directly and reconnect as user B,
but when I disconnect user A from AUR, Keycloak disconnects B even
though AUR passed it an ID token for A.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'aurweb/routers/sso.py')
-rw-r--r-- | aurweb/routers/sso.py | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py index a8d4b141..04ecdca6 100644 --- a/aurweb/routers/sso.py +++ b/aurweb/routers/sso.py @@ -80,6 +80,11 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)): # TODO redirect to the referrer response.set_cookie(key="AURSID", value=sid, httponly=True, secure=request.url.scheme == "https") + if "id_token" in token: + # We save the id_token for the SSO logout. It’s not too important + # though, so if we can’t find it, we can live without it. + response.set_cookie(key="SSO_ID_TOKEN", value=token["id_token"], path="/sso/", + httponly=True, secure=request.url.scheme == "https") return response else: # We’ve got a severe integrity violation. @@ -87,7 +92,7 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)): @router.get("/sso/logout") -async def logout(): +async def logout(request: Request): """ Disconnect the user from the SSO provider, potentially affecting every other Arch service. AUR logout is performed by `/logout`, before it @@ -96,7 +101,13 @@ async def logout(): Based on the OpenID Connect Session Management specification: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout """ + id_token = request.cookies.get("SSO_ID_TOKEN") + if not id_token: + return RedirectResponse("/") + metadata = await oauth.sso.load_server_metadata() - # TODO Supply id_token_hint to the end session endpoint. - query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location')}) - return RedirectResponse(metadata["end_session_endpoint"] + '?' + query) + query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location'), + 'id_token_hint': id_token}) + response = RedirectResponse(metadata["end_session_endpoint"] + '?' + query) + response.delete_cookie("SSO_ID_TOKEN", path="/sso/") + return response |