Add configuration to delete AccessTokens on Logout

Qup42 · dopry · commit 09e745d559ee · 2023-05-01T14:58:26.000-04:00
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -334,6 +334,14 @@ Default: ``True``
 
 Whether expired ID tokens are accepted for RP-Initiated Logout. The Tokens must still be signed by the OP and otherwise valid.
 
+OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``True``
+
+Whether to delete the access, refresh and ID tokens of the user that is being logged out.
+The types of applications for which tokens are deleted can be customized with `RPInitiatedLogoutView.token_types_to_delete`.
+The default is to delete the tokens of all applications if this flag is enabled.
+
 OIDC_ISS_ENDPOINT
 ~~~~~~~~~~~~~~~~~
 Default: ``""``
diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
@@ -91,6 +91,7 @@
     "OIDC_RP_INITIATED_LOGOUT_ENABLED": False,
     "OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT": True,
     "OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS": True,
+    "OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS": True,
     # Special settings that will be evaluated at runtime
     "_SCOPES": [],
     "_DEFAULT_SCOPES": [],
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
@@ -22,7 +22,12 @@
 )
 from ..forms import ConfirmLogoutForm
 from ..http import OAuth2ResponseRedirect
-from ..models import get_application_model, get_id_token_model
+from ..models import (
+    get_access_token_model,
+    get_application_model,
+    get_id_token_model,
+    get_refresh_token_model,
+)
 from ..settings import oauth2_settings
 from .mixins import OAuthLibMixin, OIDCLogoutOnlyMixin, OIDCOnlyMixin
 
@@ -260,6 +265,10 @@ def validate_logout_request(request, id_token_hint, client_id, post_logout_redir
 class RPInitiatedLogoutView(OIDCLogoutOnlyMixin, FormView):
     template_name = "oauth2_provider/logout_confirm.html"
     form_class = ConfirmLogoutForm
+    token_types_to_delete = [
+        Application.CLIENT_PUBLIC,
+        Application.CLIENT_CONFIDENTIAL,
+    ]
 
     def get_initial(self):
         return {
@@ -330,7 +339,29 @@ def form_valid(self, form):
             return self.error_response(error)
 
     def do_logout(self, application=None, post_logout_redirect_uri=None, state=None):
+        # Delete Access Tokens
+        if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS:
+            AccessToken = get_access_token_model()
+            RefreshToken = get_refresh_token_model()
+            access_tokens_to_delete = AccessToken.objects.filter(
+                user=self.request.user, application__client_type__in=self.token_types_to_delete
+            )
+            # This queryset has to be evaluated eagerly. The queryset would be empty with lazy evaluation
+            # because `access_tokens_to_delete` represents an empty queryset once `refresh_tokens_to_delete`
+            # is evaluated as all AccessTokens have been deleted.
+            refresh_tokens_to_delete = list(
+                RefreshToken.objects.filter(access_token__in=access_tokens_to_delete)
+            )
+            for token in access_tokens_to_delete:
+                # Delete the token and its corresponding refresh and IDTokens.
+                if token.id_token:
+                    token.id_token.revoke()
+                token.revoke()
+            for refresh_token in refresh_tokens_to_delete:
+                refresh_token.revoke()
+        # Logout in Django
         logout(self.request)
+        # Redirect
         if post_logout_redirect_uri:
             if state:
                 return OAuth2ResponseRedirect(
diff --git a/tests/presets.py b/tests/presets.py
@@ -33,6 +33,8 @@
 OIDC_SETTINGS_RP_LOGOUT["OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT"] = False
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] = False
+OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
+OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS["OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS"] = False
 REST_FRAMEWORK_SCOPES = {
     "SCOPES": {
         "read": "Read scope",
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
@@ -3,9 +3,10 @@
 from django.contrib.auth.models import AnonymousUser
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
+from django.utils import timezone
 
 from oauth2_provider.exceptions import ClientIdMissmatch, InvalidOIDCClientError, InvalidOIDCRedirectURIError
-from oauth2_provider.models import get_id_token_model
+from oauth2_provider.models import get_access_token_model, get_id_token_model, get_refresh_token_model
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.settings import oauth2_settings
 from oauth2_provider.views.oidc import _load_id_token, _validate_claims, validate_logout_request
@@ -474,6 +475,58 @@ def test_userinfo_endpoint_bad_token(oidc_tokens, client):
     assert rsp.status_code == 401
 
 
+@pytest.mark.django_db
+def test_token_deletion_on_logout(oidc_tokens, loggend_in_client, rp_settings):
+    AccessToken = get_access_token_model()
+    IDToken = get_id_token_model()
+    RefreshToken = get_refresh_token_model()
+    assert AccessToken.objects.count() == 1
+    assert IDToken.objects.count() == 1
+    assert RefreshToken.objects.count() == 1
+    rsp = loggend_in_client.get(
+        reverse("oauth2_provider:rp-initiated-logout"),
+        data={
+            "id_token_hint": oidc_tokens.id_token,
+            "client_id": oidc_tokens.application.client_id,
+        },
+    )
+    assert rsp.status_code == 302
+    assert not is_logged_in(loggend_in_client)
+    # Check that all tokens have either been deleted or expired.
+    assert all([token.is_expired() for token in AccessToken.objects.all()])
+    assert all([token.is_expired() for token in IDToken.objects.all()])
+    assert all([token.revoked <= timezone.now() for token in RefreshToken.objects.all()])
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS)
+def test_token_deletion_on_logout_disabled(oidc_tokens, loggend_in_client, rp_settings):
+    rp_settings.OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS = False
+
+    AccessToken = get_access_token_model()
+    IDToken = get_id_token_model()
+    RefreshToken = get_refresh_token_model()
+    assert AccessToken.objects.count() == 1
+    assert IDToken.objects.count() == 1
+    assert RefreshToken.objects.count() == 1
+    rsp = loggend_in_client.get(
+        reverse("oauth2_provider:rp-initiated-logout"),
+        data={
+            "id_token_hint": oidc_tokens.id_token,
+            "client_id": oidc_tokens.application.client_id,
+        },
+    )
+    assert rsp.status_code == 302
+    assert not is_logged_in(loggend_in_client)
+    # Check that the tokens have not been expired or deleted.
+    assert AccessToken.objects.count() == 1
+    assert not any([token.is_expired() for token in AccessToken.objects.all()])
+    assert IDToken.objects.count() == 1
+    assert not any([token.is_expired() for token in IDToken.objects.all()])
+    assert RefreshToken.objects.count() == 1
+    assert not any([token.revoked is not None for token in RefreshToken.objects.all()])
+
+
 EXAMPLE_EMAIL = "example.email@example.com"
 
 
