@@ -385,6 +385,27 @@ def validate_post_logout_redirect_uri(self, application, post_logout_redirect_ur
385385 if not application .post_logout_redirect_uri_allowed (post_logout_redirect_uri ):
386386 raise InvalidOIDCRedirectURIError ("This client does not have this redirect uri registered." )
387387
388+ def validate_logout_request_user (self , id_token_hint , client_id ):
389+ """
390+ Validate the an OIDC RP-Initiated Logout Request user
391+ """
392+
393+ if not id_token_hint :
394+ return
395+
396+ # Only basic validation has been done on the IDToken at this point.
397+ id_token , claims = _load_id_token (id_token_hint )
398+
399+ if not id_token or not _validate_claims (self .request , claims ):
400+ raise InvalidIDTokenError ()
401+
402+ # If both id_token_hint and client_id are given it must be verified that they match.
403+ if client_id :
404+ if id_token .application .client_id != client_id :
405+ raise ClientIdMissmatch ()
406+
407+ return id_token
408+
388409 def validate_logout_request (self , id_token_hint , client_id , post_logout_redirect_uri ):
389410 """
390411 Validate an OIDC RP-Initiated Logout Request.
@@ -397,18 +418,7 @@ def validate_logout_request(self, id_token_hint, client_id, post_logout_redirect
397418 will be validated against each other.
398419 """
399420
400- id_token = None
401- if id_token_hint :
402- # Only basic validation has been done on the IDToken at this point.
403- id_token , claims = _load_id_token (id_token_hint )
404-
405- if not id_token or not _validate_claims (self .request , claims ):
406- raise InvalidIDTokenError ()
407-
408- # If both id_token_hint and client_id are given it must be verified that they match.
409- if client_id :
410- if id_token .application .client_id != client_id :
411- raise ClientIdMissmatch ()
421+ id_token = self .validate_logout_request_user (id_token_hint , client_id )
412422
413423 application = None
414424 # Determine the application that is requesting the logout.
0 commit comments