fix: end session (#35)

* fix: handle code separately

* fix: option to ignore expiration on id_token and error handling

* fix: op handler as http.Handler

* fix: terminate session possible wihtout id_token_hint

pkg/op/config.go

@@ -16,8 +16,6 @@ type Configuration interface {
 	KeysEndpoint() Endpoint
 
 	AuthMethodPostSupported() bool
-
-	Port() string
 }
 
 func ValidateIssuer(issuer string) error {

pkg/op/default_op.go

@@ -10,6 +10,7 @@ import (
 	"gopkg.in/square/go-jose.v2"
 
 	"github.com/caos/logging"
+
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/rp"
 )
@@ -45,7 +46,7 @@ type DefaultOP struct {
 	signer      Signer
 	verifier    rp.Verifier
 	crypto      Crypto
-	http        *http.Server
+	http        http.Handler
 	decoder     *schema.Decoder
 	encoder     *schema.Encoder
 	interceptor HttpInterceptor
@@ -64,7 +65,6 @@ type Config struct {
 	// IdTokenSigningAlgValuesSupported:  []string{keys.SigningAlgorithm},
 	// SubjectTypesSupported:             []string{"public"},
 	// TokenEndpointAuthMethodsSupported:
-	Port string
 }
 
 type endpoints struct {
@@ -180,13 +180,10 @@ func NewDefaultOP(ctx context.Context, config *Config, storage Storage, opOpts .
 	p.signer = NewDefaultSigner(ctx, storage, keyCh)
 	go p.ensureKey(ctx, storage, keyCh, p.timer)
 
-	p.verifier = rp.NewDefaultVerifier(config.Issuer, "", p, rp.WithIgnoreAudience())
+	p.verifier = rp.NewDefaultVerifier(config.Issuer, "", p, rp.WithIgnoreAudience(), rp.WithIgnoreExpiration())
+
+	p.http = CreateRouter(p, p.interceptor)
 
-	router := CreateRouter(p, p.interceptor)
-	p.http = &http.Server{
-		Addr:    ":" + config.Port,
-		Handler: router,
-	}
 	p.decoder = schema.NewDecoder()
 	p.decoder.IgnoreUnknownKeys(true)
 
@@ -225,11 +222,7 @@ func (p *DefaultOP) AuthMethodPostSupported() bool {
 	return true //TODO: config
 }
 
-func (p *DefaultOP) Port() string {
-	return p.config.Port
-}
-
-func (p *DefaultOP) HttpHandler() *http.Server {
+func (p *DefaultOP) HttpHandler() http.Handler {
 	return p.http
 }
 

pkg/op/op.go

@@ -1,12 +1,10 @@
 package op
 
 import (
-	"context"
 	"net/http"
 
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
-	"github.com/sirupsen/logrus"
 
 	"github.com/caos/oidc/pkg/oidc"
 )
@@ -26,7 +24,7 @@ type OpenIDProvider interface {
 	HandleUserinfo(w http.ResponseWriter, r *http.Request)
 	HandleEndSession(w http.ResponseWriter, r *http.Request)
 	HandleKeys(w http.ResponseWriter, r *http.Request)
-	HttpHandler() *http.Server
+	HttpHandler() http.Handler
 }
 
 type HttpInterceptor func(http.HandlerFunc) http.HandlerFunc
@@ -54,21 +52,3 @@ func CreateRouter(o OpenIDProvider, h HttpInterceptor) *mux.Router {
 	router.HandleFunc(o.KeysEndpoint().Relative(), o.HandleKeys)
 	return router
 }
-
-func Start(ctx context.Context, o OpenIDProvider) {
-	go func() {
-		<-ctx.Done()
-		err := o.HttpHandler().Shutdown(ctx)
-		if err != nil {
-			logrus.Error("graceful shutdown of oidc server failed")
-		}
-	}()
-
-	go func() {
-		err := o.HttpHandler().ListenAndServe()
-		if err != nil {
-			logrus.Panicf("oidc server serve failed: %v", err)
-		}
-	}()
-	logrus.Infof("oidc server is listening on %s", o.Port())
-}

pkg/op/session.go

@@ -27,7 +27,11 @@ func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder) {
 		RequestError(w, r, err)
 		return
 	}
-	err = ender.Storage().TerminateSession(r.Context(), session.UserID, session.Client.GetID())
+	var clientID string
+	if session.Client != nil {
+		clientID = session.Client.GetID()
+	}
+	err = ender.Storage().TerminateSession(r.Context(), session.UserID, clientID)
 	if err != nil {
 		RequestError(w, r, ErrServerError("error terminating session"))
 		return
@@ -50,6 +54,9 @@ func ParseEndSessionRequest(r *http.Request, decoder *schema.Decoder) (*oidc.End
 
 func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error) {
 	session := new(EndSessionRequest)
+	if req.IdTokenHint == "" {
+		return session, nil
+	}
 	claims, err := ender.IDTokenVerifier().Verify(ctx, "", req.IdTokenHint)
 	if err != nil {
 		return nil, ErrInvalidRequest("id_token_hint invalid")