Add Tests and Documentation for option to disable http post logout URIs

Qup42 · Qup42 · commit 3f7ecd7dc8a1 · 2023-05-12T15:18:29.000+02:00
diff --git a/docs/advanced_topics.rst b/docs/advanced_topics.rst
@@ -20,6 +20,7 @@ logo, acceptance of some user agreement and so on.
     * :attr:`client_id` The client identifier issued to the client during the registration process as described in :rfc:`2.2`
     * :attr:`user` ref to a Django user
     * :attr:`redirect_uris` The list of allowed redirect uri. The string consists of valid URLs separated by space
+    * :attr:`post_logout_redirect_uris` The list of allowed redirect uris after an RP initiated logout. The string consists of valid URLs separated by space
     * :attr:`client_type` Client type as described in :rfc:`2.1`
     * :attr:`authorization_grant_type` Authorization flows available to the Application
     * :attr:`client_secret` Confidential secret issued to the client during the registration process as described in :rfc:`2.2`
diff --git a/docs/management_commands.rst b/docs/management_commands.rst
@@ -38,6 +38,7 @@ The ``createapplication`` management command provides a shortcut to create a new
 
     usage: manage.py createapplication [-h] [--client-id CLIENT_ID] [--user USER]
                                        [--redirect-uris REDIRECT_URIS]
+                                       [--post-logout-redirect-uris POST_LOGOUT_REDIRECT_URIS]
                                        [--client-secret CLIENT_SECRET]
                                        [--name NAME] [--skip-authorization]
                                        [--algorithm ALGORITHM] [--version]
@@ -64,6 +65,9 @@ The ``createapplication`` management command provides a shortcut to create a new
       --redirect-uris REDIRECT_URIS
                             The redirect URIs, this must be a space separated
                             string e.g 'URI1 URI2'
+      --post-logout-redirect-uris POST_LOGOUT_REDIRECT_URIS
+                            The post logout redirect URIs, this must be a space
+                            separated string e.g 'URI1 URI2'
       --client-secret CLIENT_SECRET
                             The secret for this application
       --name NAME           The name this application
diff --git a/oauth2_provider/management/commands/createapplication.py b/oauth2_provider/management/commands/createapplication.py
@@ -37,6 +37,12 @@ def add_arguments(self, parser):
             type=str,
             help="The redirect URIs, this must be a space separated string e.g 'URI1 URI2'",
         )
+        parser.add_argument(
+            "--post-logout-redirect-uris",
+            type=str,
+            help="The post logout redirect URIs, this must be a space separated string e.g 'URI1 URI2'",
+            default="",
+        )
         parser.add_argument(
             "--client-secret",
             type=str,
diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py
@@ -52,6 +52,9 @@ class AbstractApplication(models.Model):
     * :attr:`user` ref to a Django user
     * :attr:`redirect_uris` The list of allowed redirect uri. The string
                             consists of valid URLs separated by space
+    * :attr:`post_logout_redirect_uris` The list of allowed redirect uris after
+                                        an RP initiated logout. The string
+                                        consists of valid URLs separated by space
     * :attr:`client_type` Client type as described in :rfc:`2.1`
     * :attr:`authorization_grant_type` Authorization flows available to the
                                        Application
diff --git a/tests/presets.py b/tests/presets.py
@@ -31,6 +31,8 @@
 OIDC_SETTINGS_RP_LOGOUT = deepcopy(OIDC_SETTINGS_RW)
 OIDC_SETTINGS_RP_LOGOUT["OIDC_RP_INITIATED_LOGOUT_ENABLED"] = True
 OIDC_SETTINGS_RP_LOGOUT["OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT"] = False
+OIDC_SETTINGS_RP_LOGOUT_STRICT_REDIRECT_URI = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
+OIDC_SETTINGS_RP_LOGOUT_STRICT_REDIRECT_URI["OIDC_RP_INITIATED_LOGOUT_STRICT_REDIRECT_URIS"] = True
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] = False
 OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
@@ -343,6 +343,23 @@ def test_rp_initiated_logout_get_id_token_missmatch_client_id(
 def test_rp_initiated_logout_public_client_redirect_client_id(
     loggend_in_client, oidc_non_confidential_tokens, public_application, rp_settings
 ):
+    rsp = loggend_in_client.get(
+        reverse("oauth2_provider:rp-initiated-logout"),
+        data={
+            "id_token_hint": oidc_non_confidential_tokens.id_token,
+            "client_id": public_application.client_id,
+            "post_logout_redirect_uri": "http://other.org",
+        },
+    )
+    assert rsp.status_code == 302
+    assert not is_logged_in(loggend_in_client)
+
+
+@pytest.mark.django_db
+def test_rp_initiated_logout_public_client_strict_redirect_client_id(
+    loggend_in_client, oidc_non_confidential_tokens, public_application, oauth2_settings
+):
+    oauth2_settings.update(presets.OIDC_SETTINGS_RP_LOGOUT_STRICT_REDIRECT_URI)
     rsp = loggend_in_client.get(
         reverse("oauth2_provider:rp-initiated-logout"),
         data={
