feat: terminate session (front channel logout)
This commit is contained in:
Livio Amstutz
parent
4cf6c6d5f0
commit
e8f3010910
16 changed files with 208 additions and 14 deletions
|
|
@ -1,6 +1,76 @@
|
|||
package op
|
||||
|
||||
import "github.com/caos/oidc/pkg/oidc"
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
|
||||
"github.com/caos/oidc/pkg/oidc"
|
||||
"github.com/caos/oidc/pkg/rp"
|
||||
"github.com/gorilla/schema"
|
||||
)
|
||||
|
||||
type SessionEnder interface {
|
||||
Decoder() *schema.Decoder
|
||||
Storage() Storage
|
||||
IDTokenVerifier() rp.Verifier
|
||||
DefaultLogoutRedirectURI() string
|
||||
}
|
||||
|
||||
func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder) {
|
||||
req, err := ParseEndSessionRequest(r, ender.Decoder())
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
session, err := ValidateEndSessionRequest(r.Context(), req, ender)
|
||||
if err != nil {
|
||||
RequestError(w, r, err)
|
||||
return
|
||||
}
|
||||
err = ender.Storage().TerminateSession(r.Context(), session.UserID, session.Client.GetID())
|
||||
if err != nil {
|
||||
RequestError(w, r, ErrServerError("error terminating session"))
|
||||
return
|
||||
}
|
||||
http.Redirect(w, r, session.RedirectURI, http.StatusFound)
|
||||
}
|
||||
|
||||
func ParseEndSessionRequest(r *http.Request, decoder *schema.Decoder) (*oidc.EndSessionRequest, error) {
|
||||
err := r.ParseForm()
|
||||
if err != nil {
|
||||
return nil, ErrInvalidRequest("error parsing form")
|
||||
}
|
||||
req := new(oidc.EndSessionRequest)
|
||||
err = decoder.Decode(req, r.Form)
|
||||
if err != nil {
|
||||
return nil, ErrInvalidRequest("error decoding form")
|
||||
}
|
||||
return req, nil
|
||||
}
|
||||
|
||||
func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error) {
|
||||
session := new(EndSessionRequest)
|
||||
claims, err := ender.IDTokenVerifier().Verify(ctx, "", req.IdTokenHint)
|
||||
if err != nil {
|
||||
return nil, ErrInvalidRequest("id_token_hint invalid")
|
||||
}
|
||||
session.UserID = claims.Subject
|
||||
session.Client, err = ender.Storage().GetClientByClientID(ctx, claims.AuthorizedParty)
|
||||
if err != nil {
|
||||
return nil, ErrServerError("")
|
||||
}
|
||||
if req.PostLogoutRedirectURI == "" {
|
||||
session.RedirectURI = ender.DefaultLogoutRedirectURI()
|
||||
return session, nil
|
||||
}
|
||||
for _, uri := range session.Client.PostLogoutRedirectURIs() {
|
||||
if uri == req.PostLogoutRedirectURI {
|
||||
session.RedirectURI = uri + "?state=" + req.State
|
||||
return session, nil
|
||||
}
|
||||
}
|
||||
return nil, ErrInvalidRequest("post_logout_redirect_uri invalid")
|
||||
}
|
||||
|
||||
func NeedsExistingSession(authRequest *oidc.AuthRequest) bool {
|
||||
if authRequest == nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue