[PATCH 4/4] Save id_token for the SSO logout

Frédéric Mangano-Tarumi fmang at mg0.fr
Tue Jul 14 13:35:24 UTC 2020 

As far as I can see, Keycloak ignores it entirely. I can login in as SSO
user A, then disconnect from the SSO directly and reconnect as user B,
but when I disconnect user A from AUR, Keycloak disconnects B even
though AUR passed it an ID token for A.
---
 aurweb/routers/sso.py | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index a8d4b141..04ecdca6 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -80,6 +80,11 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
         # TODO redirect to the referrer
         response.set_cookie(key="AURSID", value=sid, httponly=True,
                             secure=request.url.scheme == "https")
+        if "id_token" in token:
+            # We save the id_token for the SSO logout. It’s not too important
+            # though, so if we can’t find it, we can live without it.
+            response.set_cookie(key="SSO_ID_TOKEN", value=token["id_token"], path="/sso/",
+                                httponly=True, secure=request.url.scheme == "https")
         return response
     else:
         # We’ve got a severe integrity violation.
@@ -87,7 +92,7 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
 
 
 @router.get("/sso/logout")
-async def logout():
+async def logout(request: Request):
     """
     Disconnect the user from the SSO provider, potentially affecting every
     other Arch service. AUR logout is performed by `/logout`, before it
@@ -96,7 +101,13 @@ async def logout():
     Based on the OpenID Connect Session Management specification:
     https://openid.net/specs/openid-connect-session-1_0.html#RPLogout
     """
+    id_token = request.cookies.get("SSO_ID_TOKEN")
+    if not id_token:
+        return RedirectResponse("/")
+
     metadata = await oauth.sso.load_server_metadata()
-    # TODO Supply id_token_hint to the end session endpoint.
-    query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location')})
-    return RedirectResponse(metadata["end_session_endpoint"] + '?' + query)
+    query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location'),
+                       'id_token_hint': id_token})
+    response = RedirectResponse(metadata["end_session_endpoint"] + '?' + query)
+    response.delete_cookie("SSO_ID_TOKEN", path="/sso/")
+    return response
-- 
2.27.0

More information about the aur-dev mailing list