From patchwork Tue Jul 14 13:35:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Mangano-Tarumi?= X-Patchwork-Id: 1722 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id 6D1AD19ED3766 for ; Tue, 14 Jul 2020 13:35:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on apollo.archlinux.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED=0.1, DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001,T_DMARC_POLICY_NONE=0.01 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-BL-Results: [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Tue, 14 Jul 2020 13:35:32 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 973CE1D35CE4C3; Tue, 14 Jul 2020 13:35:30 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: luna) by orion.archlinux.org (Postfix) with ESMTPSA id 06E1D1D35CE4BD; Tue, 14 Jul 2020 13:35:30 +0000 (UTC) Authentication-Results: orion.archlinux.org; dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=Pxk7jJ3T Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id E721329CB0; Tue, 14 Jul 2020 13:35:29 +0000 (UTC) Authentication-Results: luna.archlinux.org; dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=Pxk7jJ3T Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id E6CA820F45 for ; Tue, 14 Jul 2020 13:35:26 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by luna.archlinux.org (Postfix) with ESMTPS for ; Tue, 14 Jul 2020 13:35:26 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id A5FE11D35CE4B1 for ; Tue, 14 Jul 2020 13:35:24 +0000 (UTC) Received: from tsubame.mg0.fr (tsubame.mg0.fr [IPv6:2001:41d0:401:3100::402b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by orion.archlinux.org (Postfix) with ESMTPS for ; Tue, 14 Jul 2020 13:35:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mg0.fr; s=tsubame; h=Message-ID:Subject:To:From:Date:cc; bh=TceH8phMeKaKb7bqak5Uwrfa9WN+UbbykYNzIStsQ/I=; b=Pxk7jJ3T9uk4yiTBQzBTPaGNIW csumK6lYuySzCiTtMVSQ0XTOBvQvZuGom/yK/jI1pNmvmYbCes6gT+zzA/MSpMPYhT7ThdtJg1rsk jMLZI5QaH2wjL1Tb03gxA2mE8vR6LYHKCTdiv1SvZ4VMCAQSssIZ0+WZcSSikXI0FX+Y=; Received: from fmang by tsubame.mg0.fr with local (Exim 4.94) (envelope-from ) id 1jvL5g-00ETvR-6W for aur-dev@archlinux.org; Tue, 14 Jul 2020 15:35:24 +0200 Date: Tue, 14 Jul 2020 15:35:24 +0200 From: =?utf-8?b?RnLDqWTDqXJpYw==?= Mangano-Tarumi To: aur-dev@archlinux.org Subject: [PATCH 4/4] Save id_token for the SSO logout Message-ID: <20200714133524.GA3451609@tsubame.mg0.fr> MIME-Version: 1.0 Content-Disposition: inline X-BeenThere: aur-dev@archlinux.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Arch User Repository \(AUR\) Development" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" As far as I can see, Keycloak ignores it entirely. I can login in as SSO user A, then disconnect from the SSO directly and reconnect as user B, but when I disconnect user A from AUR, Keycloak disconnects B even though AUR passed it an ID token for A. --- aurweb/routers/sso.py | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py index a8d4b141..04ecdca6 100644 --- a/aurweb/routers/sso.py +++ b/aurweb/routers/sso.py @@ -80,6 +80,11 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)): # TODO redirect to the referrer response.set_cookie(key="AURSID", value=sid, httponly=True, secure=request.url.scheme == "https") + if "id_token" in token: + # We save the id_token for the SSO logout. It’s not too important + # though, so if we can’t find it, we can live without it. + response.set_cookie(key="SSO_ID_TOKEN", value=token["id_token"], path="/sso/", + httponly=True, secure=request.url.scheme == "https") return response else: # We’ve got a severe integrity violation. @@ -87,7 +92,7 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)): @router.get("/sso/logout") -async def logout(): +async def logout(request: Request): """ Disconnect the user from the SSO provider, potentially affecting every other Arch service. AUR logout is performed by `/logout`, before it @@ -96,7 +101,13 @@ async def logout(): Based on the OpenID Connect Session Management specification: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout """ + id_token = request.cookies.get("SSO_ID_TOKEN") + if not id_token: + return RedirectResponse("/") + metadata = await oauth.sso.load_server_metadata() - # TODO Supply id_token_hint to the end session endpoint. - query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location')}) - return RedirectResponse(metadata["end_session_endpoint"] + '?' + query) + query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location'), + 'id_token_hint': id_token}) + response = RedirectResponse(metadata["end_session_endpoint"] + '?' + query) + response.delete_cookie("SSO_ID_TOKEN", path="/sso/") + return response