From 04b1096ac1507cab15a680ebde91cc33f6d636eb Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Wed, 7 Sep 2022 11:11:09 +0200 Subject: [PATCH] fix: ignore instead of throw on unverified post_logout_redirect_uri --- README.md | 4 +-- certification/oidc/plan.json | 49 +++++++++++++++++----------- docs/README.md | 2 +- lib/actions/end_session.js | 2 +- lib/helpers/defaults.js | 2 +- test/end_session/end_session.test.js | 29 +++++----------- 6 files changed, 44 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index b04d17f5d..9ae06c940 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ _Note that not all features are enabled by default, check the configuration sect - [RFC6749 - OAuth 2.0][oauth2] & [OpenID Connect Core 1.0][core] - [OpenID Connect Discovery 1.0][discovery] - [OpenID Connect Dynamic Client Registration 1.0][registration] and [RFC7591 - OAuth 2.0 Dynamic Client Registration Protocol][oauth2-registration] +- [OpenID Connect RP-Initiated Logout 1.0][rpinitiated-logout] - [OAuth 2.0 Form Post Response Mode][form-post] - [RFC7009 - OAuth 2.0 Token Revocation][revocation] - [RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol][registration-management] @@ -49,7 +50,6 @@ The following draft specifications are implemented by oidc-provider: - [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba] - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop] - [OpenID Connect Back-Channel Logout 1.0 - draft 07][backchannel-logout] -- [OpenID Connect RP-Initiated Logout 1.0 - draft 02][rpinitiated-logout] Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde `~` operator in your @@ -146,7 +146,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a [paseto-at]: https://paseto.io [support-sponsor]: https://github.com/sponsors/panva [par]: https://www.rfc-editor.org/rfc/rfc9126.html -[rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html +[rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html [iss-auth-resp]: https://www.rfc-editor.org/rfc/rfc9207.html [fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html [ciba]: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html diff --git a/certification/oidc/plan.json b/certification/oidc/plan.json index 2fadf36c4..24eea2a47 100644 --- a/certification/oidc/plan.json +++ b/certification/oidc/plan.json @@ -778,25 +778,36 @@ ] }, { - "comment": "expect an immediate error page", - "match": "https://op.panva.cz/session/end*", - "tasks": [ - { - "task": "Expect error page", - "match": "https://op.panva.cz/session/end*", - "commands": [ - [ - "wait", - "xpath", - "//*", - 10, - "post_logout_redirect_uri can only be used in combination with id_token_hint", - "update-image-placeholder" - ] - ] - } - ] - } + "comment": "wait for the logout success", + "match": "https://op.panva.cz/session/end*", + "tasks": [ + { + "task": "Choose logout option", + "match": "https://op.panva.cz/session/end*", + "commands": [ + [ + "click", + "css", + "button[autofocus] " + ] + ] + }, + { + "task": "Expect success page", + "match": "https://op.panva.cz/session/end/success", + "commands": [ + [ + "wait", + "xpath", + "//*", + 10, + "Sign-out Success", + "update-image-placeholder" + ] + ] + } + ] + } ] }, "oidcc-rp-initiated-logout-no-params" : { diff --git a/docs/README.md b/docs/README.md index 0cd6f9591..6e423bec2 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1863,7 +1863,7 @@ _**default value**_: ### features.rpInitiatedLogout -[RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html) +[RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html) Enables RP-Initiated Logout features diff --git a/lib/actions/end_session.js b/lib/actions/end_session.js index 30985354a..27e9e3e67 100644 --- a/lib/actions/end_session.js +++ b/lib/actions/end_session.js @@ -68,7 +68,7 @@ module.exports = { throw new InvalidRequest('post_logout_redirect_uri not registered'); } } else if (params.post_logout_redirect_uri !== undefined) { - throw new InvalidRequest('post_logout_redirect_uri can only be used in combination with id_token_hint or client_id'); + params.post_logout_redirect_uri = undefined; } await next(); diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index 53b75523f..884bab7fb 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -1289,7 +1289,7 @@ function getDefaults() { /* * features.rpInitiatedLogout * - * title: [RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html) + * title: [RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html) * * description: Enables RP-Initiated Logout features */ diff --git a/test/end_session/end_session.test.js b/test/end_session/end_session.test.js index 8608537a3..a75da03ba 100644 --- a/test/end_session/end_session.test.js +++ b/test/end_session/end_session.test.js @@ -262,28 +262,17 @@ describe('logout endpoint', () => { expect(postLogoutRedirectUri).to.be.undefined; }); }); - }); - it('without id_token_hint or client_id post_logout_redirect_uri may not be provided', function () { - const emitSpy = sinon.spy(); - const renderSpy = sinon.spy(i(this.provider).configuration(), 'renderError'); - this.provider.once('end_session.error', emitSpy); - const params = { - post_logout_redirect_uri: 'https://client.example.com/callback/logout', - }; + it('ignores unverified post_logout_redirect_uri', function () { + const params = { post_logout_redirect_uri: 'https://client.example.com/logout/cb' }; - return this.agent.get(route) - .set('Accept', 'text/html') - .query(params) - .expect(400) - .expect(() => { - expect(emitSpy.calledOnce).to.be.true; - expect(renderSpy.calledOnce).to.be.true; - const renderArgs = renderSpy.args[0]; - expect(renderArgs[1]).to.have.property('error', 'invalid_request'); - expect(renderArgs[1]).to.have.property('error_description', 'post_logout_redirect_uri can only be used in combination with id_token_hint or client_id'); - expect(renderArgs[2]).to.be.an.instanceof(InvalidRequest); - }); + return this.wrap({ route, verb, params }) + .expect(200) + .expect(() => { + const { state: { postLogoutRedirectUri } } = this.getSession(); + expect(postLogoutRedirectUri).to.be.undefined; + }); + }); }); it('validates post_logout_redirect_uri allowed on client', function () {