external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Save id_token for the SSO logout

Browse source 
As far as I can see, Keycloak ignores it entirely. I can login in as SSO
user A, then disconnect from the SSO directly and reconnect as user B,
but when I disconnect user A from AUR, Keycloak disconnects B even
though AUR passed it an ID token for A.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This commit is contained in:
Frédéric Mangano-Tarumi 2020-07-14 15:35:24 +02:00 committed by Lukas Fleischer
parent 4d0f2d2279
commit 357dba87b3
1 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
aurweb/routers/sso.py
View file

@ -80,6 +80,11 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
# TODO redirect to the referrer # TODO redirect to the referrer
response.set_cookie(key="AURSID", value=sid, httponly=True, response.set_cookie(key="AURSID", value=sid, httponly=True,
secure=request.url.scheme == "https") secure=request.url.scheme == "https")
if "id_token" in token:
# We save the id_token for the SSO logout. Its not too important
# though, so if we cant find it, we can live without it.
response.set_cookie(key="SSO_ID_TOKEN", value=token["id_token"], path="/sso/",
httponly=True, secure=request.url.scheme == "https")
return response return response
else: else:
# Weve got a severe integrity violation. # Weve got a severe integrity violation.
@ -87,7 +92,7 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
@router.get("/sso/logout") @router.get("/sso/logout")
async def logout(): async def logout(request: Request):
""" """
Disconnect the user from the SSO provider, potentially affecting every Disconnect the user from the SSO provider, potentially affecting every
other Arch service. AUR logout is performed by `/logout`, before it other Arch service. AUR logout is performed by `/logout`, before it
@ -96,7 +101,13 @@ async def logout():
Based on the OpenID Connect Session Management specification: Based on the OpenID Connect Session Management specification:
https://openid.net/specs/openid-connect-session-1_0.html#RPLogout https://openid.net/specs/openid-connect-session-1_0.html#RPLogout
""" """
id_token = request.cookies.get("SSO_ID_TOKEN")
if not id_token:
return RedirectResponse("/")
metadata = await oauth.sso.load_server_metadata() metadata = await oauth.sso.load_server_metadata()
# TODO Supply id_token_hint to the end session endpoint. query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location'),
query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location')}) 'id_token_hint': id_token})
return RedirectResponse(metadata["end_session_endpoint"] + '?' + query) response = RedirectResponse(metadata["end_session_endpoint"] + '?' + query)
response.delete_cookie("SSO_ID_TOKEN", path="/sso/")
return response