Add configuration option to accept expired tokens

Author: Qup42

docs/settings.rst

@@ -328,6 +328,12 @@ Default: ``True``
 Whether to always prompt the :term:`Resource Owner` (End User) to confirm a logout requested by a
 :term:`Client` (Relying Party). If it is disabled the :term:`Resource Owner` (End User) will only be prompted if required by the standard.
 
+OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``True``
+
+Whether expired ID tokens are accepted for RP-Initiated Logout. The Tokens must still be signed by the OP and otherwise valid.
+
 OIDC_ISS_ENDPOINT
 ~~~~~~~~~~~~~~~~~
 Default: ``""``

oauth2_provider/settings.py

@@ -90,6 +90,7 @@
     ],
     "OIDC_RP_INITIATED_LOGOUT_ENABLED": False,
     "OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT": True,
+    "OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS": True,
     # Special settings that will be evaluated at runtime
     "_SCOPES": [],
     "_DEFAULT_SCOPES": [],

oauth2_provider/views/oidc.py

@@ -7,7 +7,9 @@
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import FormView, View
-from jwcrypto import jwk
+from jwcrypto import jwk, jwt
+from jwcrypto.common import JWException
+from jwcrypto.jwt import JWTExpired
 from oauthlib.common import add_params_to_uri
 
 from ..exceptions import (
@@ -20,7 +22,7 @@
 )
 from ..forms import ConfirmLogoutForm
 from ..http import OAuth2ResponseRedirect
-from ..models import get_application_model
+from ..models import get_application_model, get_id_token_model
 from ..settings import oauth2_settings
 from .mixins import OAuthLibMixin, OIDCLogoutOnlyMixin, OIDCOnlyMixin
 
@@ -142,7 +144,50 @@ def _create_userinfo_response(self, request):
         return response
 
 
-def validate_logout_request(user, id_token_hint, client_id, post_logout_redirect_uri):
+def _load_id_token(request, token):
+    """
+    Loads an IDToken given its string representation for use with RP-Initiated Logout.
+    This method differs from `oauth2_validators._load_id_token` in two ways.
+    This method validates the `iss` claim and might accept expired but otherwise valid tokens
+    depending on the configuration.
+    """
+    IDToken = get_id_token_model()
+    validator = oauth2_settings.OAUTH2_VALIDATOR_CLASS()
+
+    key = validator._get_key_for_token(token)
+    if not key:
+        return None
+
+    try:
+        if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS:
+            # Only check the following while loading the JWT
+            # - claims are dict
+            # - the Claims defined in RFC7519 if present have the correct type (string, integer, etc.)
+            # The claim contents are not validated. `exp` and `nbf` in particular are not validated.
+            check_claims = {}
+        else:
+            # Also validate the `exp` (expiration time) and `nbf` (not before) claims.
+            check_claims = None
+        jwt_token = jwt.JWT(key=key, jwt=token, check_claims=check_claims)
+        claims = json.loads(jwt_token.claims)
+
+        # Verification of `iss` claim is mandated by OIDC RP-Initiated Logout specs.
+        if claims["iss"] != validator.get_oidc_issuer_endpoint(request):
+            # IDToken was not issued by this OP.
+            return None
+
+        # Assumption: the `sub` claim and `user` property of the corresponding IDToken Object point to the
+        # same user.
+        # To verify that the IDToken was intended for the user it is therefore sufficient to check the `user`
+        # attribute on the IDToken Object later on.
+
+        return IDToken.objects.get(jti=claims["jti"])
+
+    except (JWException, JWTExpired, IDToken.DoesNotExist):
+        return None
+
+
+def validate_logout_request(request, id_token_hint, client_id, post_logout_redirect_uri):
     """
     Validate an OIDC RP-Initiated Logout Request.
     `(prompt_logout, (post_logout_redirect_uri, application))` is returned.
@@ -156,19 +201,18 @@ def validate_logout_request(user, id_token_hint, client_id, post_logout_redirect
     The `id_token_hint` will be validated if given. If both `client_id` and `id_token_hint` are given they
     will be validated against each other.
     """
-    validator = oauth2_settings.OAUTH2_VALIDATOR_CLASS()
 
     id_token = None
     must_prompt_logout = True
     if id_token_hint:
         # Note: The standard states that expired tokens should still be accepted.
         # This implementation only accepts tokens that are still valid.
-        id_token = validator._load_id_token(id_token_hint)
+        id_token = _load_id_token(request, id_token_hint)
 
         if not id_token:
             raise InvalidIDTokenError()
 
-        if id_token.user == user:
+        if id_token.user == request.user:
             # A logout without user interaction (i.e. no prompt) is only allowed
             # if an ID Token is provided that matches the current user.
             must_prompt_logout = False
@@ -232,7 +276,7 @@ def get(self, request, *args, **kwargs):
 
         try:
             prompt, (redirect_uri, application) = validate_logout_request(
-                user=request.user,
+                request=request,
                 id_token_hint=id_token_hint,
                 client_id=client_id,
                 post_logout_redirect_uri=post_logout_redirect_uri,
@@ -264,7 +308,7 @@ def form_valid(self, form):
 
         try:
             prompt, (redirect_uri, application) = validate_logout_request(
-                user=self.request.user,
+                request=self.request,
                 id_token_hint=id_token_hint,
                 client_id=client_id,
                 post_logout_redirect_uri=post_logout_redirect_uri,

tests/conftest.py

@@ -1,13 +1,16 @@
+import uuid
+from datetime import timedelta
 from types import SimpleNamespace
 from urllib.parse import parse_qs, urlparse
 
 import pytest
 from django.conf import settings as test_settings
 from django.contrib.auth import get_user_model
 from django.urls import reverse
-from jwcrypto import jwk
+from django.utils import dateformat, timezone
+from jwcrypto import jwk, jwt
 
-from oauth2_provider.models import get_application_model
+from oauth2_provider.models import get_application_model, get_id_token_model
 from oauth2_provider.settings import oauth2_settings as _oauth2_settings
 
 from . import presets
@@ -196,6 +199,52 @@ def generate_access_token(oauth2_settings, application, test_user, client, setti
     )
 
 
+@pytest.fixture
+def expired_id_token(oauth2_settings, oidc_key, test_user, application):
+    payload = generate_id_token_payload(oauth2_settings, application, oidc_key)
+    return generate_id_token(test_user, payload, oidc_key, application)
+
+
+@pytest.fixture
+def id_token_wrong_aud(oauth2_settings, oidc_key, test_user, application):
+    payload = generate_id_token_payload(oauth2_settings, application, oidc_key)
+    payload[1]["aud"] = ""
+    return generate_id_token(test_user, payload, oidc_key, application)
+
+
+@pytest.fixture
+def id_token_wrong_iss(oauth2_settings, oidc_key, test_user, application):
+    payload = generate_id_token_payload(oauth2_settings, application, oidc_key)
+    payload[1]["iss"] = ""
+    return generate_id_token(test_user, payload, oidc_key, application)
+
+
+def generate_id_token_payload(oauth2_settings, application, oidc_key):
+    # Default leeway of JWT in jwcrypto is 60 seconds. This means that tokens that expired up to 60 seconds
+    # ago are still accepted.
+    expiration_time = timezone.now() - timedelta(seconds=61)
+    # Calculate values for the IDToken
+    exp = int(dateformat.format(expiration_time, "U"))
+    jti = str(uuid.uuid4())
+    aud = application.client_id
+    iss = oauth2_settings.OIDC_ISS_ENDPOINT
+    # Construct and sign the IDToken
+    header = {"typ": "JWT", "alg": "RS256", "kid": oidc_key.thumbprint()}
+    id_token = {"exp": exp, "jti": jti, "aud": aud, "iss": iss}
+    return header, id_token, jti, expiration_time
+
+
+def generate_id_token(user, payload, oidc_key, application):
+    header, id_token, jti, expiration_time = payload
+    jwt_token = jwt.JWT(header=header, claims=id_token)
+    jwt_token.make_signed_token(oidc_key)
+    # Save the IDToken in the DB. Required for later lookups from e.g. RP-Initiated Logout.
+    IDToken = get_id_token_model()
+    IDToken.objects.create(user=user, scope="", expires=expiration_time, jti=jti, application=application)
+    # Return the token as a string.
+    return jwt_token.token.serialize(compact=True)
+
+
 @pytest.fixture
 def oidc_tokens(oauth2_settings, application, test_user, client):
     return generate_access_token(

tests/presets.py

@@ -31,6 +31,8 @@
 OIDC_SETTINGS_RP_LOGOUT = deepcopy(OIDC_SETTINGS_RW)
 OIDC_SETTINGS_RP_LOGOUT["OIDC_RP_INITIATED_LOGOUT_ENABLED"] = True
 OIDC_SETTINGS_RP_LOGOUT["OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT"] = False
+OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
+OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] = False
 REST_FRAMEWORK_SCOPES = {
     "SCOPES": {
         "read": "Read scope",

tests/test_oidc_views.py

@@ -1,12 +1,14 @@
 import pytest
 from django.contrib.auth import get_user
-from django.test import TestCase
+from django.contrib.auth.models import AnonymousUser
+from django.test import RequestFactory, TestCase
 from django.urls import reverse
 
 from oauth2_provider.exceptions import ClientIdMissmatch, InvalidOIDCClientError, InvalidOIDCRedirectURIError
+from oauth2_provider.models import get_id_token_model
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.settings import oauth2_settings
-from oauth2_provider.views.oidc import validate_logout_request
+from oauth2_provider.views.oidc import _load_id_token, validate_logout_request
 
 from . import presets
 
@@ -165,6 +167,22 @@ def test_get_jwks_info_multiple_rsa_keys(self):
         assert response.json() == expected_response
 
 
+def mock_request():
+    """
+    Dummy request with an AnonymousUser attached.
+    """
+    return mock_request_for(AnonymousUser())
+
+
+def mock_request_for(user):
+    """
+    Dummy request with the `user` attached.
+    """
+    request = RequestFactory().get("")
+    request.user = user
+    return request
+
+
 @pytest.mark.django_db
 @pytest.mark.parametrize("ALWAYS_PROMPT", [True, False])
 def test_validate_logout_request(oidc_tokens, public_application, other_user, rp_settings, ALWAYS_PROMPT):
@@ -174,66 +192,72 @@ def test_validate_logout_request(oidc_tokens, public_application, other_user, rp
     client_id = application.client_id
     id_token = oidc_tokens.id_token
     assert validate_logout_request(
-        user=oidc_tokens.user, id_token_hint=None, client_id=None, post_logout_redirect_uri=None
+        request=mock_request_for(oidc_tokens.user),
+        id_token_hint=None,
+        client_id=None,
+        post_logout_redirect_uri=None,
     ) == (True, (None, None))
     assert validate_logout_request(
-        user=oidc_tokens.user, id_token_hint=None, client_id=client_id, post_logout_redirect_uri=None
+        request=mock_request_for(oidc_tokens.user),
+        id_token_hint=None,
+        client_id=client_id,
+        post_logout_redirect_uri=None,
     ) == (True, (None, application))
     assert validate_logout_request(
-        user=oidc_tokens.user,
+        request=mock_request_for(oidc_tokens.user),
         id_token_hint=None,
         client_id=client_id,
         post_logout_redirect_uri="http://example.org",
     ) == (True, ("http://example.org", application))
     assert validate_logout_request(
-        user=oidc_tokens.user,
+        request=mock_request_for(oidc_tokens.user),
         id_token_hint=id_token,
         client_id=None,
         post_logout_redirect_uri="http://example.org",
     ) == (ALWAYS_PROMPT, ("http://example.org", application))
     assert validate_logout_request(
-        user=other_user,
+        request=mock_request_for(other_user),
         id_token_hint=id_token,
         client_id=None,
         post_logout_redirect_uri="http://example.org",
     ) == (True, ("http://example.org", application))
     assert validate_logout_request(
-        user=oidc_tokens.user,
+        request=mock_request_for(oidc_tokens.user),
         id_token_hint=id_token,
         client_id=client_id,
         post_logout_redirect_uri="http://example.org",
     ) == (ALWAYS_PROMPT, ("http://example.org", application))
     with pytest.raises(ClientIdMissmatch):
         validate_logout_request(
-            user=oidc_tokens.user,
+            request=mock_request_for(oidc_tokens.user),
             id_token_hint=id_token,
             client_id=public_application.client_id,
             post_logout_redirect_uri="http://other.org",
         )
     with pytest.raises(InvalidOIDCClientError):
         validate_logout_request(
-            user=oidc_tokens.user,
+            request=mock_request_for(oidc_tokens.user),
             id_token_hint=None,
             client_id=None,
             post_logout_redirect_uri="http://example.org",
         )
     with pytest.raises(InvalidOIDCRedirectURIError):
         validate_logout_request(
-            user=oidc_tokens.user,
+            request=mock_request_for(oidc_tokens.user),
             id_token_hint=None,
             client_id=client_id,
             post_logout_redirect_uri="example.org",
         )
     with pytest.raises(InvalidOIDCRedirectURIError):
         validate_logout_request(
-            user=oidc_tokens.user,
+            request=mock_request_for(oidc_tokens.user),
             id_token_hint=None,
             client_id=client_id,
             post_logout_redirect_uri="imap://example.org",
         )
     with pytest.raises(InvalidOIDCRedirectURIError):
         validate_logout_request(
-            user=oidc_tokens.user,
+            request=mock_request_for(oidc_tokens.user),
             id_token_hint=None,
             client_id=client_id,
             post_logout_redirect_uri="http://other.org",
@@ -354,6 +378,60 @@ def test_rp_initiated_logout_post_allowed(loggend_in_client, oidc_tokens, rp_set
     assert not is_logged_in(loggend_in_client)
 
 
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT)
+def test_rp_initiated_logout_expired_tokens_accept(loggend_in_client, application, expired_id_token):
+    # Accepting expired (but otherwise valid and signed by us) tokens is enabled. Logout should go through.
+    rsp = loggend_in_client.get(
+        reverse("oauth2_provider:rp-initiated-logout"),
+        data={
+            "id_token_hint": expired_id_token,
+            "client_id": application.client_id,
+        },
+    )
+    assert rsp.status_code == 302
+    assert not is_logged_in(loggend_in_client)
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED)
+def test_rp_initiated_logout_expired_tokens_deny(loggend_in_client, application, expired_id_token):
+    # Expired tokens should not be accepted by default.
+    rsp = loggend_in_client.get(
+        reverse("oauth2_provider:rp-initiated-logout"),
+        data={
+            "id_token_hint": expired_id_token,
+            "client_id": application.client_id,
+        },
+    )
+    assert rsp.status_code == 400
+    assert is_logged_in(loggend_in_client)
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT)
+def test_load_id_token_accept_expired(expired_id_token):
+    assert isinstance(_load_id_token(mock_request(), expired_id_token), get_id_token_model())
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT)
+def test_load_id_token_wrong_aud(id_token_wrong_aud):
+    assert _load_id_token(mock_request(), id_token_wrong_aud) is None
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT)
+def test_load_id_token_wrong_iss(id_token_wrong_iss):
+    assert _load_id_token(mock_request(), id_token_wrong_iss) is None
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED)
+def test_load_id_token_deny_expired(expired_id_token):
+    assert _load_id_token(mock_request(), expired_id_token) is None
+
+
 @pytest.mark.django_db
 @pytest.mark.parametrize("method", ["get", "post"])
 def test_userinfo_endpoint(oidc_tokens, client, method):