Merge pull request #829 from infohash/bugfix/end-session-logout-missing-id-token-hint

Fixed RP-Initiated Logout To Accept id_token_hint

Author: schlenk

CHANGELOG.md

@@ -10,12 +10,17 @@ The format is based on the [KeepAChangeLog] project.
 ### Changed
 - [#827] Added support for python 3.11
 
+### Fixed
+- [#826], [#829] Fixed RP-Initiated Logout To Accept id_token_hint
+
 ## Removed
 
 - [#820] Removed Client.grant_from_state method.
 
 [#820]: https://github.com/OpenIDC/pyoidc/pull/820
 [#827]: https://github.com/OpenIDC/pyoidc/issues/827
+[#826]: https://github.com/OpenIDC/pyoidc/issues/826
+[#829]: https://github.com/OpenIDC/pyoidc/pull/829
 
 ## 1.4.0 [2022-05-23]
 

mypy.ini

@@ -1,5 +1,6 @@
 [mypy]
 check_untyped_defs = True
+no_implicit_optional = False
 
 [mypy-jwkest.*]
 ignore_missing_imports = True

src/oic/oic/__init__.py

@@ -647,7 +647,12 @@ def construct_CheckIDRequest(
         )
 
     def construct_EndSessionRequest(
-        self, request=None, request_args=None, extra_args=None, **kwargs
+        self,
+        request=None,
+        request_args=None,
+        extra_args=None,
+        prop="id_token_hint",
+        **kwargs,
     ):
 
         if request is None:
@@ -658,7 +663,9 @@ def construct_EndSessionRequest(
         if "state" in request_args and "state" not in kwargs:
             kwargs["state"] = request_args["state"]
 
-        return self._id_token_based(request, request_args, extra_args, **kwargs)
+        return self._id_token_based(
+            request, request_args, extra_args, prop=prop, **kwargs
+        )
 
     def do_authorization_request(
         self,
@@ -824,6 +831,7 @@ def do_end_session_request(
         request_args=None,
         extra_args=None,
         http_args=None,
+        prop="id_token_hint",
     ):
         request = self.message_factory.get_request_type("endsession_endpoint")
         response_cls = self.message_factory.get_response_type("endsession_endpoint")
@@ -834,6 +842,7 @@ def do_end_session_request(
             extra_args=extra_args,
             scope=scope,
             state=state,
+            prop=prop,
         )
 
         if http_args is None:

tests/test_oic.py

@@ -415,9 +415,10 @@ def test_do_end_session_request(self):
         alg = "RS256"
         ktyp = alg2keytype(alg)
         _sign_key = self.client.keyjar.get_signing_key(ktyp)
+        id_token_jwt = IDTOKEN.to_jwt(key=_sign_key, algorithm=alg)
         args = {
-            "id_token": IDTOKEN.to_jwt(key=_sign_key, algorithm=alg),
-            "redirect_url": "http://example.com/end",
+            "id_token_hint": id_token_jwt,
+            "post_logout_redirect_uri": "http://example.com/end",
         }
 
         with responses.RequestsMock() as rsps:
@@ -427,10 +428,10 @@ def test_do_end_session_request(self):
                 status=302,
                 headers={"location": ""},
             )
-            resp = self.client.do_end_session_request(request_args=args, state="state1")
+            resp = self.client.do_end_session_request(request_args=args)
             parsed = parse_qs(urlparse(resp.request.url).query)
-            assert parsed["redirect_url"] == ["http://example.com/end"]
-            assert parsed["id_token"] is not None
+            assert parsed["post_logout_redirect_uri"] == ["http://example.com/end"]
+            assert parsed["id_token_hint"] == [id_token_jwt]
 
     def test_do_registration_request(self):
         self.client.registration_endpoint = (  # type: ignore
@@ -681,9 +682,9 @@ def test_construct_EndSessionRequest_kwargs_state(self):
         self.client.grant["foo"].tokens.append(Token(resp))
 
         # state only in kwargs
-        args = {"redirect_url": "http://example.com/end"}
+        args = {"post_logout_redirect_uri": "http://example.com/end"}
         esr = self.client.construct_EndSessionRequest(state="foo", request_args=args)
-        assert _eq(esr.keys(), ["id_token", "redirect_url"])
+        assert _eq(esr.keys(), ["id_token_hint", "post_logout_redirect_uri"])
 
     def test_construct_EndSessionRequest_reqargs_state(self):
         self.client.grant["foo"] = Grant()
@@ -708,9 +709,9 @@ def test_construct_EndSessionRequest_reqargs_state(self):
         self.client.grant["foo"].tokens.append(Token(resp))
 
         # state only in request_args
-        args = {"redirect_url": "http://example.com/end", "state": "foo"}
+        args = {"post_logout_redirect_uri": "http://example.com/end", "state": "foo"}
         esr = self.client.construct_EndSessionRequest(request_args=args)
-        assert _eq(esr.keys(), ["id_token", "state", "redirect_url"])
+        assert _eq(esr.keys(), ["id_token_hint", "state", "post_logout_redirect_uri"])
 
     def test_construct_EndSessionRequest_kwargs_and_reqargs_state(self):
         self.client.grant["foo"] = Grant()
@@ -734,11 +735,29 @@ def test_construct_EndSessionRequest_kwargs_and_reqargs_state(self):
         self.client.grant["foo"].tokens.append(Token(resp))
 
         # state both in request_args and kwargs
-        args = {"redirect_url": "http://example.com/end", "state": "req_args_state"}
+        args = {
+            "post_logout_redirect_uri": "http://example.com/end",
+            "state": "req_args_state",
+        }
         esr = self.client.construct_EndSessionRequest(state="foo", request_args=args)
-        assert _eq(esr.keys(), ["id_token", "state", "redirect_url"])
+        assert _eq(esr.keys(), ["id_token_hint", "state", "post_logout_redirect_uri"])
         assert esr["state"] == "req_args_state"
 
+    def test_construct_EndSessionRequest_with_id_token_hint_and_post_logout_redirect_uri(
+        self,
+    ):
+        """Should construct end session request using id_token_hint and post_logout_redirect_uri"""
+        self.client.keyjar.add_kb(IDTOKEN["iss"], KC_SYM_S)
+        _sig_key = self.client.keyjar.get_signing_key("oct", IDTOKEN["iss"])
+        _signed_jwt = IDTOKEN.to_jwt(_sig_key, algorithm="HS256")
+
+        args = {
+            "post_logout_redirect_uri": "http://example.com/end",
+            "id_token_hint": _signed_jwt,
+        }
+        esr = self.client.construct_EndSessionRequest(request_args=args)
+        assert _eq(esr.keys(), ["id_token_hint", "post_logout_redirect_uri"])
+
     def test_construct_OpenIDRequest(self):
         request_args = {"response_type": "code id_token", "state": "af0ifjsldkj"}