logout refactor: deprecate old validate_logout_request

tonial · tonial · commit a1a0d5da0a07 · 2023-09-15T15:00:34.000+02:00
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
@@ -1,4 +1,5 @@
 import json
+import warnings
 from urllib.parse import urlparse
 
 from django.contrib.auth import logout
@@ -209,6 +210,76 @@ def _validate_claims(request, claims):
     return True
 
 
+def validate_logout_request(request, id_token_hint, client_id, post_logout_redirect_uri):
+    """
+    Validate an OIDC RP-Initiated Logout Request.
+    `(prompt_logout, (post_logout_redirect_uri, application), token_user)` is returned.
+
+    `prompt_logout` indicates whether the logout has to be confirmed by the user. This happens if the
+    specifications force a confirmation, or it is enabled by `OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT`.
+    `post_logout_redirect_uri` is the validated URI where the User should be redirected to after the
+    logout. Can be None. None will redirect to "/" of this app. If it is set `application` will also
+    be set to the Application that is requesting the logout. `token_user` is the id_token user, which will
+    used to revoke the tokens if found.
+
+    The `id_token_hint` will be validated if given. If both `client_id` and `id_token_hint` are given they
+    will be validated against each other.
+    """
+
+    warnings.warn("This method is deprecated and will be removed in version 2.5.0.", DeprecationWarning)
+
+    id_token = None
+    must_prompt_logout = True
+    token_user = None
+    if id_token_hint:
+        # Only basic validation has been done on the IDToken at this point.
+        id_token, claims = _load_id_token(id_token_hint)
+
+        if not id_token or not _validate_claims(request, claims):
+            raise InvalidIDTokenError()
+
+        token_user = id_token.user
+
+        if id_token.user == request.user:
+            # A logout without user interaction (i.e. no prompt) is only allowed
+            # if an ID Token is provided that matches the current user.
+            must_prompt_logout = False
+
+        # If both id_token_hint and client_id are given it must be verified that they match.
+        if client_id:
+            if id_token.application.client_id != client_id:
+                raise ClientIdMissmatch()
+
+    # The standard states that a prompt should always be shown.
+    # This behaviour can be configured with OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT.
+    prompt_logout = must_prompt_logout or oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT
+
+    application = None
+    # Determine the application that is requesting the logout.
+    if client_id:
+        application = get_application_model().objects.get(client_id=client_id)
+    elif id_token:
+        application = id_token.application
+
+    # Validate `post_logout_redirect_uri`
+    if post_logout_redirect_uri:
+        if not application:
+            raise InvalidOIDCClientError()
+        scheme = urlparse(post_logout_redirect_uri)[0]
+        if not scheme:
+            raise InvalidOIDCRedirectURIError("A Scheme is required for the redirect URI.")
+        if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_STRICT_REDIRECT_URIS and (
+            scheme == "http" and application.client_type != "confidential"
+        ):
+            raise InvalidOIDCRedirectURIError("http is only allowed with confidential clients.")
+        if scheme not in application.get_allowed_schemes():
+            raise InvalidOIDCRedirectURIError(f'Redirect to scheme "{scheme}" is not permitted.')
+        if not application.post_logout_redirect_uri_allowed(post_logout_redirect_uri):
+            raise InvalidOIDCRedirectURIError("This client does not have this redirect uri registered.")
+
+    return prompt_logout, (post_logout_redirect_uri, application), token_user
+
+
 class RPInitiatedLogoutView(OIDCLogoutOnlyMixin, FormView):
     template_name = "oauth2_provider/logout_confirm.html"
     form_class = ConfirmLogoutForm
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
@@ -14,6 +14,7 @@
     RPInitiatedLogoutView,
     _load_id_token,
     _validate_claims,
+    validate_logout_request,
 )
 
 from . import presets
@@ -189,6 +190,89 @@ def mock_request_for(user):
     return request
 
 
+@pytest.mark.django_db
+@pytest.mark.parametrize("ALWAYS_PROMPT", [True, False])
+def test_deprecated_validate_logout_request(
+    oidc_tokens, public_application, other_user, rp_settings, ALWAYS_PROMPT
+):
+    rp_settings.OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT = ALWAYS_PROMPT
+    oidc_tokens = oidc_tokens
+    application = oidc_tokens.application
+    client_id = application.client_id
+    id_token = oidc_tokens.id_token
+    assert validate_logout_request(
+        request=mock_request_for(oidc_tokens.user),
+        id_token_hint=None,
+        client_id=None,
+        post_logout_redirect_uri=None,
+    ) == (True, (None, None), None)
+    assert validate_logout_request(
+        request=mock_request_for(oidc_tokens.user),
+        id_token_hint=None,
+        client_id=client_id,
+        post_logout_redirect_uri=None,
+    ) == (True, (None, application), None)
+    assert validate_logout_request(
+        request=mock_request_for(oidc_tokens.user),
+        id_token_hint=None,
+        client_id=client_id,
+        post_logout_redirect_uri="http://example.org",
+    ) == (True, ("http://example.org", application), None)
+    assert validate_logout_request(
+        request=mock_request_for(oidc_tokens.user),
+        id_token_hint=id_token,
+        client_id=None,
+        post_logout_redirect_uri="http://example.org",
+    ) == (ALWAYS_PROMPT, ("http://example.org", application), oidc_tokens.user)
+    assert validate_logout_request(
+        request=mock_request_for(other_user),
+        id_token_hint=id_token,
+        client_id=None,
+        post_logout_redirect_uri="http://example.org",
+    ) == (True, ("http://example.org", application), oidc_tokens.user)
+    assert validate_logout_request(
+        request=mock_request_for(oidc_tokens.user),
+        id_token_hint=id_token,
+        client_id=client_id,
+        post_logout_redirect_uri="http://example.org",
+    ) == (ALWAYS_PROMPT, ("http://example.org", application), oidc_tokens.user)
+    with pytest.raises(ClientIdMissmatch):
+        validate_logout_request(
+            request=mock_request_for(oidc_tokens.user),
+            id_token_hint=id_token,
+            client_id=public_application.client_id,
+            post_logout_redirect_uri="http://other.org",
+        )
+    with pytest.raises(InvalidOIDCClientError):
+        validate_logout_request(
+            request=mock_request_for(oidc_tokens.user),
+            id_token_hint=None,
+            client_id=None,
+            post_logout_redirect_uri="http://example.org",
+        )
+    with pytest.raises(InvalidOIDCRedirectURIError):
+        validate_logout_request(
+            request=mock_request_for(oidc_tokens.user),
+            id_token_hint=None,
+            client_id=client_id,
+            post_logout_redirect_uri="example.org",
+        )
+    with pytest.raises(InvalidOIDCRedirectURIError):
+        validate_logout_request(
+            request=mock_request_for(oidc_tokens.user),
+            id_token_hint=None,
+            client_id=client_id,
+            post_logout_redirect_uri="imap://example.org",
+        )
+    with pytest.raises(InvalidOIDCRedirectURIError):
+        validate_logout_request(
+            request=mock_request_for(oidc_tokens.user),
+            id_token_hint=None,
+            client_id=client_id,
+            post_logout_redirect_uri="http://other.org",
+        )
+
+
 @pytest.mark.django_db
 def test_validate_logout_request(oidc_tokens, public_application):
     oidc_tokens = oidc_tokens
