fix: end session (#35)

* fix: handle code separately * fix: option to ignore expiration on id_token and error handling * fix: op handler as http.Handler * fix: terminate session possible wihtout id_token_hint
2020-07-06 12:52:22 +02:00 · 2020-07-06 12:52:22 +02:00 · 628bc4ed65
commit 628bc4ed65
parent 21dfd6c22e
7 changed files with 52 additions and 48 deletions
--- a/pkg/op/session.go
+++ b/pkg/op/session.go
@ -27,7 +27,11 @@ func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder) {
 		RequestError(w, r, err)
 		return
 	}
-	err = ender.Storage().TerminateSession(r.Context(), session.UserID, session.Client.GetID())
+	var clientID string
+	if session.Client != nil {
+		clientID = session.Client.GetID()
+	}
+	err = ender.Storage().TerminateSession(r.Context(), session.UserID, clientID)
 	if err != nil {
 		RequestError(w, r, ErrServerError("error terminating session"))
 		return
@ -50,6 +54,9 @@ func ParseEndSessionRequest(r *http.Request, decoder *schema.Decoder) (*oidc.End

 func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error) {
 	session := new(EndSessionRequest)
+	if req.IdTokenHint == "" {
+		return session, nil
+	}
 	claims, err := ender.IDTokenVerifier().Verify(ctx, "", req.IdTokenHint)
 	if err != nil {
 		return nil, ErrInvalidRequest("id_token_hint invalid")