Skip to content

Commit

Permalink
fix: ignore instead of throw on unverified post_logout_redirect_uri
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Sep 13, 2022
1 parent 0fcc112 commit 04b1096
Show file tree
Hide file tree
Showing 6 changed files with 44 additions and 44 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ _Note that not all features are enabled by default, check the configuration sect
- [RFC6749 - OAuth 2.0][oauth2] & [OpenID Connect Core 1.0][core]
- [OpenID Connect Discovery 1.0][discovery]
- [OpenID Connect Dynamic Client Registration 1.0][registration] and [RFC7591 - OAuth 2.0 Dynamic Client Registration Protocol][oauth2-registration]
- [OpenID Connect RP-Initiated Logout 1.0][rpinitiated-logout]
- [OAuth 2.0 Form Post Response Mode][form-post]
- [RFC7009 - OAuth 2.0 Token Revocation][revocation]
- [RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol][registration-management]
Expand Down Expand Up @@ -49,7 +50,6 @@ The following draft specifications are implemented by oidc-provider:
- [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop]
- [OpenID Connect Back-Channel Logout 1.0 - draft 07][backchannel-logout]
- [OpenID Connect RP-Initiated Logout 1.0 - draft 02][rpinitiated-logout]

Updates to draft specification versions are released as MINOR library versions,
if you utilize these specification implementations consider using the tilde `~` operator in your
Expand Down Expand Up @@ -146,7 +146,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
[paseto-at]: https://paseto.io
[support-sponsor]: https://github.com/sponsors/panva
[par]: https://www.rfc-editor.org/rfc/rfc9126.html
[rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html
[rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html
[iss-auth-resp]: https://www.rfc-editor.org/rfc/rfc9207.html
[fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
[ciba]: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html
Expand Down
49 changes: 30 additions & 19 deletions certification/oidc/plan.json
Original file line number Diff line number Diff line change
Expand Up @@ -778,25 +778,36 @@
]
},
{
"comment": "expect an immediate error page",
"match": "https://op.panva.cz/session/end*",
"tasks": [
{
"task": "Expect error page",
"match": "https://op.panva.cz/session/end*",
"commands": [
[
"wait",
"xpath",
"//*",
10,
"post_logout_redirect_uri can only be used in combination with id_token_hint",
"update-image-placeholder"
]
]
}
]
}
"comment": "wait for the logout success",
"match": "https://op.panva.cz/session/end*",
"tasks": [
{
"task": "Choose logout option",
"match": "https://op.panva.cz/session/end*",
"commands": [
[
"click",
"css",
"button[autofocus] "
]
]
},
{
"task": "Expect success page",
"match": "https://op.panva.cz/session/end/success",
"commands": [
[
"wait",
"xpath",
"//*",
10,
"Sign-out Success",
"update-image-placeholder"
]
]
}
]
}
]
},
"oidcc-rp-initiated-logout-no-params" : {
Expand Down
2 changes: 1 addition & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1863,7 +1863,7 @@ _**default value**_:

### features.rpInitiatedLogout

[RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html)
[RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)

Enables RP-Initiated Logout features

Expand Down
2 changes: 1 addition & 1 deletion lib/actions/end_session.js
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ module.exports = {
throw new InvalidRequest('post_logout_redirect_uri not registered');
}
} else if (params.post_logout_redirect_uri !== undefined) {
throw new InvalidRequest('post_logout_redirect_uri can only be used in combination with id_token_hint or client_id');
params.post_logout_redirect_uri = undefined;
}

await next();
Expand Down
2 changes: 1 addition & 1 deletion lib/helpers/defaults.js
Original file line number Diff line number Diff line change
Expand Up @@ -1289,7 +1289,7 @@ function getDefaults() {
/*
* features.rpInitiatedLogout
*
* title: [RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html)
* title: [RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)
*
* description: Enables RP-Initiated Logout features
*/
Expand Down
29 changes: 9 additions & 20 deletions test/end_session/end_session.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -262,28 +262,17 @@ describe('logout endpoint', () => {
expect(postLogoutRedirectUri).to.be.undefined;
});
});
});

it('without id_token_hint or client_id post_logout_redirect_uri may not be provided', function () {
const emitSpy = sinon.spy();
const renderSpy = sinon.spy(i(this.provider).configuration(), 'renderError');
this.provider.once('end_session.error', emitSpy);
const params = {
post_logout_redirect_uri: 'https://client.example.com/callback/logout',
};
it('ignores unverified post_logout_redirect_uri', function () {
const params = { post_logout_redirect_uri: 'https://client.example.com/logout/cb' };

return this.agent.get(route)
.set('Accept', 'text/html')
.query(params)
.expect(400)
.expect(() => {
expect(emitSpy.calledOnce).to.be.true;
expect(renderSpy.calledOnce).to.be.true;
const renderArgs = renderSpy.args[0];
expect(renderArgs[1]).to.have.property('error', 'invalid_request');
expect(renderArgs[1]).to.have.property('error_description', 'post_logout_redirect_uri can only be used in combination with id_token_hint or client_id');
expect(renderArgs[2]).to.be.an.instanceof(InvalidRequest);
});
return this.wrap({ route, verb, params })
.expect(200)
.expect(() => {
const { state: { postLogoutRedirectUri } } = this.getSession();
expect(postLogoutRedirectUri).to.be.undefined;
});
});
});

it('validates post_logout_redirect_uri allowed on client', function () {
Expand Down

0 comments on commit 04b1096

Please sign in to comment.