From 568802ce7c90f1e24a5083551277a3aa7652084b Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Wed, 4 Jan 2023 18:03:12 +0100
Subject: [PATCH 01/25] initial commit

---
 docker-compose-oidc-dev.yml                             | 2 ++
 mwdb/web/src/components/Settings/Views/OAuthProvider.js | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/docker-compose-oidc-dev.yml b/docker-compose-oidc-dev.yml
index 44f01e402..53cced4de 100644
--- a/docker-compose-oidc-dev.yml
+++ b/docker-compose-oidc-dev.yml
@@ -64,6 +64,8 @@ services:
     env_file:
       # NOTE: use gen_vars.sh in order to generate this file
       - postgres-vars.env
+    ports:
+      - "127.0.0.1:54322:5432"
   redis:
     image: redis:alpine
   mailhog:
diff --git a/mwdb/web/src/components/Settings/Views/OAuthProvider.js b/mwdb/web/src/components/Settings/Views/OAuthProvider.js
index cc1b32f2b..d52e9be72 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthProvider.js
+++ b/mwdb/web/src/components/Settings/Views/OAuthProvider.js
@@ -131,6 +131,14 @@ export default function OAuthProvider() {
                             onSubmit={handleSubmit}
                         />
                     </ProviderItem>
+                    <ProviderItem label="Logout endpoint">
+                        <EditableItem
+                            name="logout_endpoint"
+                            type="logout_endpoint"
+                            defaultValue={provider.logout_endpoint}
+                            onSubmit={handleSubmit}
+                        />
+                    </ProviderItem>
                 </tbody>
             </table>
             <b>Actions:</b>

From c4c2ebd5666fc8657110f74a6b47df7339f71947 Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Wed, 4 Jan 2023 18:20:03 +0100
Subject: [PATCH 02/25] create logout_endpoint column

---
 ...3d1497694_create_logout_endpoint_column.py | 33 +++++++++++++++++++
 .../Settings/Views/OAuthRegister.js           | 10 ++++++
 2 files changed, 43 insertions(+)
 create mode 100644 mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py

diff --git a/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py b/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
new file mode 100644
index 000000000..75599ca24
--- /dev/null
+++ b/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
@@ -0,0 +1,33 @@
+"""create_logout_endpoint_column
+
+Revision ID: bd93d1497694
+Revises: 25ea40a798ac
+Create Date: 2023-01-04 17:14:22.271856
+
+"""
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "bd93d1497694"
+down_revision = "25ea40a798ac"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute(
+        """
+    ALTER TABLE public.openid_provider
+    ADD logout_endpoint text;
+    """
+    )
+
+
+def downgrade():
+    op.execute(
+        """
+        ALTER TABLE public.openid_provider
+        DROP COLUMN logout_endpoint;
+    """
+    )
diff --git a/mwdb/web/src/components/Settings/Views/OAuthRegister.js b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
index 72856251d..8ca191ec3 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthRegister.js
+++ b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
@@ -131,6 +131,16 @@ export default function OAuthRegister() {
                         className="form-control"
                     />
                 </div>
+                <div className="form-group">
+                    <label>Logout endpoint</label>
+                    <input
+                        type="text"
+                        name="logout_endpoint"
+                        value={values.logout_endpoint}
+                        onChange={handleInputChange}
+                        className="form-control"
+                    />
+                </div>
                 <input
                     type="submit"
                     value="Submit"

From 6744765845d27f0df610e0b0119232a02f3e5ed1 Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Thu, 5 Jan 2023 15:21:38 +0100
Subject: [PATCH 03/25] Implement using discovery/configuration endpoint

---
 .../Settings/Views/OAuthRegister.js           | 100 +++++++++++++++++-
 1 file changed, 98 insertions(+), 2 deletions(-)

diff --git a/mwdb/web/src/components/Settings/Views/OAuthRegister.js b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
index 8ca191ec3..1f2a5ea35 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthRegister.js
+++ b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
@@ -1,12 +1,14 @@
-import React, { useContext, useState } from "react";
+import React, { useContext, useState, useCallback, useEffect } from "react";
 
 import { APIContext } from "@mwdb-web/commons/api/context";
 
-import { useViewAlert } from "@mwdb-web/commons/ui";
+import { ShowIf, useViewAlert } from "@mwdb-web/commons/ui";
 
 export default function OAuthRegister() {
     const api = useContext(APIContext);
     const viewAlert = useViewAlert();
+    const [discoverData, setDiscoverData] = useState();
+    const [discoverURL, setDiscoverURL] = useState();
     const [values, setValues] = useState({
         userinfo_endpoint: "",
         jwks_endpoint: "",
@@ -15,6 +17,7 @@ export default function OAuthRegister() {
         authorization_endpoint: "",
         client_id: "",
         client_secret: "",
+        logout_endpoint: "",
     });
 
     function handleInputChange(event) {
@@ -27,6 +30,24 @@ export default function OAuthRegister() {
         }));
     }
 
+    function autoFill() {
+        if (!discoverData) return;
+        console.log(values);
+        const keys = Object.keys(values);
+        for (const i in keys) {
+            values[keys[i]] = discoverData[keys[i]];
+        }
+        if (typeof discoverData["jwks_uri"] === "undefined")
+            discoverData["jwks_uri"] = "";
+
+        if (typeof discoverData["end_session_endpoint"] === "undefined")
+            discoverData["end_session_endpoint"] = "";
+
+        values["jwks_endpoint"] = discoverData["jwks_uri"];
+        values["logout_endpoint"] = discoverData["end_session_endpoint"];
+        setDiscoverURL("");
+    }
+
     async function registerProvider() {
         try {
             await api.oauthRegisterProvider(
@@ -47,9 +68,84 @@ export default function OAuthRegister() {
         }
     }
 
+    async function updateDiscoverData() {
+        try {
+            var req = new Request(discoverURL);
+            fetch(req)
+                .then(async (response) => {
+                    return await response.json();
+                })
+                .then((x) => {
+                    setDiscoverData(x);
+                });
+        } catch (e) {
+            viewAlert.setAlert({ e });
+        }
+    }
+
+    const getDiscover = useCallback(updateDiscoverData, [
+        discoverURL,
+        viewAlert,
+    ]);
+    const autoFillCallback = useCallback(autoFill, [
+        discoverData,
+        values,
+        viewAlert,
+    ]);
+
+    useEffect(() => {
+        getDiscover();
+    }, [getDiscover]);
+    useEffect(() => {
+        autoFillCallback();
+    }, [autoFillCallback]);
+
     return (
         <div className="container">
             <h2>Register new identity provider</h2>
+            <form
+                onSubmit={(e) => {
+                    e.preventDefault();
+                    setDiscoverURL(e.target.discover_endpoint.value);
+                }}
+            >
+                <div className="form-group">
+                    <label>Discover endpoint</label>
+                    <input
+                        type="text"
+                        name="discover_endpoint"
+                        className="form-control"
+                        required
+                    />
+                </div>
+                <div className="form-group">
+                    <input
+                        type="submit"
+                        value="Get data"
+                        className="btn btn-secondary"
+                    />
+                </div>
+                <ShowIf condition={discoverData}>
+                    <textarea
+                        type="text"
+                        rows="10"
+                        width="100%"
+                        className="form-control"
+                        value={JSON.stringify(discoverData, null, 4)}
+                        disabled
+                    />
+                    <button
+                        className="btn btn-secondary"
+                        onClick={() => {
+                            setDiscoverURL("");
+                            setDiscoverData(null);
+                        }}
+                    >
+                        Hide output
+                    </button>
+                </ShowIf>
+            </form>
+
             <form
                 onSubmit={(ev) => {
                     ev.preventDefault();

From 55dfac2095e7247f71913f86fa3e4b8bd4a975da Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Thu, 5 Jan 2023 15:55:42 +0100
Subject: [PATCH 04/25] fix callback dependencies

---
 mwdb/web/src/components/Settings/Views/OAuthRegister.js | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/mwdb/web/src/components/Settings/Views/OAuthRegister.js b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
index 1f2a5ea35..2d7e303ad 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthRegister.js
+++ b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
@@ -87,11 +87,7 @@ export default function OAuthRegister() {
         discoverURL,
         viewAlert,
     ]);
-    const autoFillCallback = useCallback(autoFill, [
-        discoverData,
-        values,
-        viewAlert,
-    ]);
+    const autoFillCallback = useCallback(autoFill, [discoverData, values]);
 
     useEffect(() => {
         getDiscover();

From b8568366bd802e99770799bdc95c8dcdc152b643 Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Thu, 5 Jan 2023 17:02:27 +0100
Subject: [PATCH 05/25] store information about provider

---
 mwdb/web/src/commons/auth/provider.js                  | 10 ++++++++++
 mwdb/web/src/components/OAuth.js                       |  1 +
 mwdb/web/src/components/Profile/ProfileView.js         |  1 +
 .../web/src/components/Settings/Views/OAuthRegister.js |  1 -
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/mwdb/web/src/commons/auth/provider.js b/mwdb/web/src/commons/auth/provider.js
index 25a15a9dc..b6ff12355 100644
--- a/mwdb/web/src/commons/auth/provider.js
+++ b/mwdb/web/src/commons/auth/provider.js
@@ -74,6 +74,7 @@ export function AuthProvider(props) {
     const [session, _setSession] = useState(getStoredAuthSession());
     const refreshTimer = useRef(null);
     const isAuthenticated = !!session;
+    const [authProvider, setAuthProvider] = useState("");
 
     function setSession(newSession) {
         // Internal session setter which updates token used by Axios
@@ -100,6 +101,10 @@ export function AuthProvider(props) {
         setSession(newSession);
     }
 
+    function updateProvider(newProvider) {
+        setAuthProvider(newProvider);
+    }
+
     async function refreshSession() {
         try {
             // If not authenticated: just ignore that call
@@ -115,10 +120,14 @@ export function AuthProvider(props) {
     }
 
     function logout(error) {
+        if (authProvider !== ""){
+            console.log(authProvider);
+        }
         // Clears session state and redirects user to the UserLogin page
         let logoutReason = error
             ? { error }
             : { success: "User logged out successfully." };
+        setAuthProvider("");
         updateSession(null);
         navigate("/login", {
             state: {
@@ -217,6 +226,7 @@ export function AuthProvider(props) {
                 hasCapability,
                 refreshSession,
                 updateSession,
+                updateProvider,
                 logout,
             }}
         >
diff --git a/mwdb/web/src/components/OAuth.js b/mwdb/web/src/components/OAuth.js
index 7ceee3e7c..4004466f1 100644
--- a/mwdb/web/src/components/OAuth.js
+++ b/mwdb/web/src/components/OAuth.js
@@ -176,6 +176,7 @@ export function OAuthAuthorize() {
                 });
             } else {
                 auth.updateSession(response.data);
+                auth.updateProvider(provider);
                 navigate("/", {
                     replace: true,
                 });
diff --git a/mwdb/web/src/components/Profile/ProfileView.js b/mwdb/web/src/components/Profile/ProfileView.js
index 4f7cd4ea4..6b47260bd 100644
--- a/mwdb/web/src/components/Profile/ProfileView.js
+++ b/mwdb/web/src/components/Profile/ProfileView.js
@@ -61,6 +61,7 @@ export default function ProfileView() {
         }
     }
 
+    console.log(auth);
     const getProfile = useCallback(updateProfile, [user, redirectToAlert]);
 
     useEffect(() => {
diff --git a/mwdb/web/src/components/Settings/Views/OAuthRegister.js b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
index 2d7e303ad..8e2d1af4c 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthRegister.js
+++ b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
@@ -32,7 +32,6 @@ export default function OAuthRegister() {
 
     function autoFill() {
         if (!discoverData) return;
-        console.log(values);
         const keys = Object.keys(values);
         for (const i in keys) {
             values[keys[i]] = discoverData[keys[i]];

From f1a9a31866a0454c1ca24ec8d674b594887e6962 Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Thu, 5 Jan 2023 18:39:05 +0100
Subject: [PATCH 06/25] work in progress

---
 mwdb/app.py                                   |  2 +
 mwdb/model/oauth.py                           |  1 +
 mwdb/resources/oauth.py                       | 47 ++++++++++++++++++-
 mwdb/web/src/commons/api/index.js             |  7 +++
 mwdb/web/src/commons/auth/provider.js         | 32 +++++++++++--
 .../web/src/components/Profile/ProfileView.js |  1 -
 6 files changed, 84 insertions(+), 6 deletions(-)

diff --git a/mwdb/app.py b/mwdb/app.py
index 384db861a..3d8071b85 100755
--- a/mwdb/app.py
+++ b/mwdb/app.py
@@ -62,6 +62,7 @@
     OpenIDProviderResource,
     OpenIDRegisterUserResource,
     OpenIDSingleProviderResource,
+    OpenIDLogoutResource,
 )
 from mwdb.resources.object import (
     ObjectCountResource,
@@ -340,6 +341,7 @@ def require_auth():
     api.add_resource(OpenIDAuthorizeResource, "/oauth/<provider_name>/authorize")
     api.add_resource(OpenIDBindAccountResource, "/oauth/<provider_name>/bind_account")
     api.add_resource(OpenIDRegisterUserResource, "/oauth/<provider_name>/register")
+    api.add_resource(OpenIDLogoutResource, "/oauth/<provider_name>/logout")
 
 # Remote endpoints
 api.add_resource(RemoteListResource, "/remote")
diff --git a/mwdb/model/oauth.py b/mwdb/model/oauth.py
index 5f1986265..283cc4c68 100644
--- a/mwdb/model/oauth.py
+++ b/mwdb/model/oauth.py
@@ -17,6 +17,7 @@ class OpenIDProvider(db.Model):
     token_endpoint = db.Column(db.Text, nullable=False)
     userinfo_endpoint = db.Column(db.Text, nullable=False)
     jwks_endpoint = db.Column(db.Text, nullable=True)
+    logout_endpoint = db.Column(db.Text, nullable=True)
 
     identities = db.relationship(
         "OpenIDUserIdentity",
diff --git a/mwdb/resources/oauth.py b/mwdb/resources/oauth.py
index 67488cee6..e866c4d14 100644
--- a/mwdb/resources/oauth.py
+++ b/mwdb/resources/oauth.py
@@ -5,7 +5,7 @@
 from flask_restful import Resource
 from marshmallow import ValidationError
 from sqlalchemy import and_, exists, or_
-from werkzeug.exceptions import Conflict, Forbidden, NotFound
+from werkzeug.exceptions import Conflict, Forbidden, NotFound, PreconditionFailed
 
 from mwdb.core.capabilities import Capabilities
 from mwdb.core.config import app_config
@@ -620,3 +620,48 @@ def get(self):
             identity.provider.name for identity in g.auth_user.openid_identities
         ]
         return OpenIDProviderListResponseSchema().dump({"providers": identities})
+
+
+@rate_limited_resource
+class OpenIDLogoutResource(Resource):
+    @requires_authorization
+    def get(self, provider_name):
+        """
+        ---
+        summary: Get logout endpoint
+        description: |
+            Get logout endpoint
+        security:
+            - bearerAuth: []
+        tags:
+            - auth
+        parameters:
+            - in: path
+              name: provider_name
+              schema:
+                type: string
+              description: OpenID provider name.
+        responses:
+            200:
+                description: When logged out successfully 
+            404:
+                description: Requested provider doesn't exist
+            412:
+                description: |
+                    end_session_endpoint is not specified for this provider
+            503:
+                description: |
+                    Request canceled due to database statement timeout.
+        """
+        provider = (
+            db.session.query(OpenIDProvider)
+            .filter(OpenIDProvider.name == provider_name)
+            .first()
+        )
+        if not provider:
+            raise NotFound(f"Requested provider name '{provider_name}' not found")
+
+        if provider.logout_endpoint is None:
+            raise PreconditionFailed(f"end_session_endpoint is not specified for {provider_name}")
+
+        return provider.logout_endpoint
\ No newline at end of file
diff --git a/mwdb/web/src/commons/api/index.js b/mwdb/web/src/commons/api/index.js
index bfc8e9563..9d881d9cb 100644
--- a/mwdb/web/src/commons/api/index.js
+++ b/mwdb/web/src/commons/api/index.js
@@ -124,6 +124,12 @@ function oauthGetIdentities() {
     return axios.get("/oauth/identities");
 }
 
+async function oauthGetLogoutLink(provider, token) {
+    const response = await axios.get(`/oauth/${provider}/logout`);
+    const baseURL = getApiForEnvironment();
+    return `${response}?id_token=${token}&post_logout_redirect_uri=${baseURL}`
+}
+
 function apiKeyAdd(login, name) {
     return axios.post(`/user/${login}/api_key`, { name });
 }
@@ -563,6 +569,7 @@ const api = {
     oauthUpdateSingleProvider,
     oauthRemoveSingleProvider,
     oauthGetIdentities,
+    oauthGetLogoutLink,
     authRefresh,
     authSetPassword,
     authRequestPasswordChange,
diff --git a/mwdb/web/src/commons/auth/provider.js b/mwdb/web/src/commons/auth/provider.js
index b6ff12355..f3ddcaf66 100644
--- a/mwdb/web/src/commons/auth/provider.js
+++ b/mwdb/web/src/commons/auth/provider.js
@@ -119,10 +119,7 @@ export function AuthProvider(props) {
         }
     }
 
-    function logout(error) {
-        if (authProvider !== ""){
-            console.log(authProvider);
-        }
+    function _logout(error){
         // Clears session state and redirects user to the UserLogin page
         let logoutReason = error
             ? { error }
@@ -137,6 +134,33 @@ export function AuthProvider(props) {
         });
     }
 
+    function oAuthLogout(){
+        try {
+            let response = api.oauthGetLogoutLink(authProvider, session.token);
+            console.log(response);
+            window.location.href = response;
+        } catch(e) {
+            console.log(e);
+        }
+    }
+
+    function logout(error) {
+        if (error){
+            _logout(error);
+            return;
+        }
+        if (authProvider === ""){
+            _logout(error);
+            return;
+        }
+        let choice = window.confirm("Do you want to logout from OAuth, too?");
+        if (choice) {
+            oAuthLogout();
+            _logout(error);
+        }
+        _logout(error);
+    }
+
     function hasCapability(capability) {
         return isAuthenticated && session.capabilities.indexOf(capability) >= 0;
     }
diff --git a/mwdb/web/src/components/Profile/ProfileView.js b/mwdb/web/src/components/Profile/ProfileView.js
index 6b47260bd..4f7cd4ea4 100644
--- a/mwdb/web/src/components/Profile/ProfileView.js
+++ b/mwdb/web/src/components/Profile/ProfileView.js
@@ -61,7 +61,6 @@ export default function ProfileView() {
         }
     }
 
-    console.log(auth);
     const getProfile = useCallback(updateProfile, [user, redirectToAlert]);
 
     useEffect(() => {

From ba85e0d2a6aba97bafd585fd210407cd8ea4a95f Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Wed, 11 Jan 2023 00:16:18 +0100
Subject: [PATCH 07/25] working logout from OpenID, store logout_endpoint, new
 api endpoint for logout url

---
 dev/oidc/init.py                              |  1 +
 mwdb/app.py                                   |  2 +-
 mwdb/resources/auth.py                        |  3 ++
 mwdb/resources/oauth.py                       | 33 ++++++++++---
 mwdb/schema/auth.py                           |  1 +
 mwdb/schema/oauth.py                          |  6 +++
 mwdb/web/src/commons/api/index.js             | 10 ++--
 mwdb/web/src/commons/auth/provider.js         | 46 +++++--------------
 mwdb/web/src/components/Navigation.js         | 40 ++++++++++++++--
 mwdb/web/src/components/OAuth.js              |  1 -
 .../Settings/Views/OAuthRegister.js           |  6 ++-
 11 files changed, 96 insertions(+), 53 deletions(-)

diff --git a/dev/oidc/init.py b/dev/oidc/init.py
index 20b8de026..a1ff4a48b 100644
--- a/dev/oidc/init.py
+++ b/dev/oidc/init.py
@@ -99,6 +99,7 @@
         "userinfo_endpoint": "http://keycloak.:8080/realms/mwdb-oidc-dev/protocol/openid-connect/userinfo",
         "token_endpoint": "http://keycloak.:8080/realms/mwdb-oidc-dev/protocol/openid-connect/token",
         "jwks_endpoint": "http://keycloak.:8080/realms/mwdb-oidc-dev/protocol/openid-connect/certs",
+        "logout_endpoint": "http://127.0.0.1:8080/realms/mwdb-oidc-dev/protocol/openid-connect/logout",
     },
 )
 response.raise_for_status()
diff --git a/mwdb/app.py b/mwdb/app.py
index 3d8071b85..99375bbb9 100755
--- a/mwdb/app.py
+++ b/mwdb/app.py
@@ -59,10 +59,10 @@
     OpenIDAuthenticateResource,
     OpenIDAuthorizeResource,
     OpenIDBindAccountResource,
+    OpenIDLogoutResource,
     OpenIDProviderResource,
     OpenIDRegisterUserResource,
     OpenIDSingleProviderResource,
-    OpenIDLogoutResource,
 )
 from mwdb.resources.object import (
     ObjectCountResource,
diff --git a/mwdb/resources/auth.py b/mwdb/resources/auth.py
index 82eb490a1..258da1c46 100644
--- a/mwdb/resources/auth.py
+++ b/mwdb/resources/auth.py
@@ -109,6 +109,7 @@ def post(self):
 
         user.logged_on = datetime.datetime.now()
         db.session.commit()
+        g.auth_provider = "mwdb"
 
         auth_token = user.generate_session_token()
 
@@ -120,6 +121,7 @@ def post(self):
                 "token": auth_token,
                 "capabilities": user.capabilities,
                 "groups": user.group_names,
+                "provider": g.auth_provider,
             }
         )
 
@@ -425,6 +427,7 @@ def post(self):
                 "token": user.generate_session_token(),
                 "capabilities": user.capabilities,
                 "groups": user.group_names,
+                "provider": g.auth_provider,
             }
         )
 
diff --git a/mwdb/resources/oauth.py b/mwdb/resources/oauth.py
index e866c4d14..052fb984a 100644
--- a/mwdb/resources/oauth.py
+++ b/mwdb/resources/oauth.py
@@ -17,6 +17,7 @@
 from mwdb.schema.oauth import (
     OpenIDAuthorizeRequestSchema,
     OpenIDLoginResponseSchema,
+    OpenIDLogoutLinkResponseSchema,
     OpenIDProviderCreateRequestSchema,
     OpenIDProviderItemResponseSchema,
     OpenIDProviderListResponseSchema,
@@ -100,6 +101,13 @@ def post(self):
         if obj["jwks_endpoint"]:
             jwks_endpoint = obj["jwks_endpoint"]
 
+        logout_endpoint = None
+        if obj["logout_endpoint"]:
+            logout_endpoint = obj["logout_endpoint"]
+
+        if obj["name"] == "mwdb":
+            raise Conflict("This name is restricted")
+
         if db.session.query(
             exists().where(and_(OpenIDProvider.name == obj["name"]))
         ).scalar():
@@ -115,6 +123,7 @@ def post(self):
             token_endpoint=obj["token_endpoint"],
             userinfo_endpoint=obj["userinfo_endpoint"],
             jwks_endpoint=jwks_endpoint,
+            logout_endpoint=logout_endpoint,
         )
 
         group_name = ("OpenID_" + obj["name"])[:32]
@@ -250,6 +259,10 @@ def put(self, provider_name):
         if jwks_endpoint is not None:
             provider.jwks_endpoint = jwks_endpoint
 
+        logout_endpoint = obj["logout_endpoint"]
+        if logout_endpoint is not None:
+            provider.logout_endpoint = logout_endpoint
+
         db.session.commit()
 
         logger.info("Provider updated", extra={"provider": provider_name})
@@ -400,6 +413,7 @@ def post(self, provider_name):
             "User logged in via OpenID Provider",
             extra={"login": user.login, "provider": provider_name},
         )
+        g.auth_provider = provider_name
         schema = AuthSuccessResponseSchema()
         return schema.dump(
             {
@@ -407,6 +421,7 @@ def post(self, provider_name):
                 "token": auth_token,
                 "capabilities": user.capabilities,
                 "groups": user.group_names,
+                "provider": g.auth_provider,
             }
         )
 
@@ -628,9 +643,9 @@ class OpenIDLogoutResource(Resource):
     def get(self, provider_name):
         """
         ---
-        summary: Get logout endpoint
+        summary: Get logout endpoint url
         description: |
-            Get logout endpoint
+            Get logout endpoint url
         security:
             - bearerAuth: []
         tags:
@@ -643,12 +658,15 @@ def get(self, provider_name):
               description: OpenID provider name.
         responses:
             200:
-                description: When logged out successfully 
+                description: When logout endpoint was found
+                content:
+                  application/json:
+                    schema: OpenIDLogoutLinkResponseSchema
             404:
                 description: Requested provider doesn't exist
             412:
                 description: |
-                    end_session_endpoint is not specified for this provider
+                    Logout endpoint is not specified for this provider
             503:
                 description: |
                     Request canceled due to database statement timeout.
@@ -662,6 +680,9 @@ def get(self, provider_name):
             raise NotFound(f"Requested provider name '{provider_name}' not found")
 
         if provider.logout_endpoint is None:
-            raise PreconditionFailed(f"end_session_endpoint is not specified for {provider_name}")
+            raise PreconditionFailed(
+                f"end_session_endpoint is not specified for {provider_name}"
+            )
 
-        return provider.logout_endpoint
\ No newline at end of file
+        schema = OpenIDLogoutLinkResponseSchema()
+        return schema.dump({"url": provider.logout_endpoint})
diff --git a/mwdb/schema/auth.py b/mwdb/schema/auth.py
index 95c8296a0..f4d379dce 100644
--- a/mwdb/schema/auth.py
+++ b/mwdb/schema/auth.py
@@ -47,6 +47,7 @@ class AuthSuccessResponseSchema(UserLoginSchemaBase):
     token = fields.Str(required=True, allow_none=False)
     capabilities = fields.List(fields.Str(), required=True, allow_none=False)
     groups = fields.List(fields.Str(), required=True, allow_none=False)
+    provider = fields.Str(required=True, allow_none=True)
 
 
 class AuthValidateTokenResponseSchema(UserLoginSchemaBase):
diff --git a/mwdb/schema/oauth.py b/mwdb/schema/oauth.py
index deef29d7d..bd419aaf0 100644
--- a/mwdb/schema/oauth.py
+++ b/mwdb/schema/oauth.py
@@ -9,6 +9,7 @@ class OpenIDProviderCreateRequestSchema(Schema):
     token_endpoint = fields.Str(required=True, allow_none=False)
     userinfo_endpoint = fields.Str(required=True, allow_none=False)
     jwks_endpoint = fields.Str(required=True, allow_none=True)
+    logout_endpoint = fields.Str(required=False, allow_none=True)
 
 
 class OpenIDProviderItemResponseSchema(OpenIDProviderCreateRequestSchema):
@@ -23,6 +24,7 @@ class OpenIDProviderUpdateRequestSchema(Schema):
     token_endpoint = fields.Str(missing=None)
     userinfo_endpoint = fields.Str(missing=None)
     jwks_endpoint = fields.Str(missing=None)
+    logout_endpoint = fields.Str(missing=None)
 
 
 class OpenIDAuthorizeRequestSchema(Schema):
@@ -43,3 +45,7 @@ class OpenIDLoginResponseSchema(Schema):
     authorization_url = fields.Str(required=True, allow_none=False)
     state = fields.Str(required=True, allow_none=False)
     nonce = fields.Str(required=True, allow_none=False)
+
+
+class OpenIDLogoutLinkResponseSchema(Schema):
+    url = fields.Str(required=True, allow_none=False)
diff --git a/mwdb/web/src/commons/api/index.js b/mwdb/web/src/commons/api/index.js
index 9d881d9cb..454c6393b 100644
--- a/mwdb/web/src/commons/api/index.js
+++ b/mwdb/web/src/commons/api/index.js
@@ -91,7 +91,8 @@ function oauthRegisterProvider(
     authorization_endpoint,
     token_endpoint,
     userinfo_endpoint,
-    jwks_endpoint
+    jwks_endpoint,
+    logout_endpoint
 ) {
     return axios.post(`/oauth`, {
         name,
@@ -101,6 +102,7 @@ function oauthRegisterProvider(
         token_endpoint,
         userinfo_endpoint,
         jwks_endpoint,
+        logout_endpoint,
     });
 }
 
@@ -124,10 +126,8 @@ function oauthGetIdentities() {
     return axios.get("/oauth/identities");
 }
 
-async function oauthGetLogoutLink(provider, token) {
-    const response = await axios.get(`/oauth/${provider}/logout`);
-    const baseURL = getApiForEnvironment();
-    return `${response}?id_token=${token}&post_logout_redirect_uri=${baseURL}`
+async function oauthGetLogoutLink(provider) {
+    return axios.get(`/oauth/${provider}/logout`);
 }
 
 function apiKeyAdd(login, name) {
diff --git a/mwdb/web/src/commons/auth/provider.js b/mwdb/web/src/commons/auth/provider.js
index f3ddcaf66..009863603 100644
--- a/mwdb/web/src/commons/auth/provider.js
+++ b/mwdb/web/src/commons/auth/provider.js
@@ -74,7 +74,6 @@ export function AuthProvider(props) {
     const [session, _setSession] = useState(getStoredAuthSession());
     const refreshTimer = useRef(null);
     const isAuthenticated = !!session;
-    const [authProvider, setAuthProvider] = useState("");
 
     function setSession(newSession) {
         // Internal session setter which updates token used by Axios
@@ -101,10 +100,6 @@ export function AuthProvider(props) {
         setSession(newSession);
     }
 
-    function updateProvider(newProvider) {
-        setAuthProvider(newProvider);
-    }
-
     async function refreshSession() {
         try {
             // If not authenticated: just ignore that call
@@ -119,12 +114,20 @@ export function AuthProvider(props) {
         }
     }
 
-    function _logout(error){
+    async function oAuthLogout() {
+        try {
+            let response = await api.oauthGetLogoutLink(session.provider);
+            window.location.href = response.data.url;
+        } catch (e) {
+            console.log(e);
+        }
+    }
+
+    function logout(error) {
         // Clears session state and redirects user to the UserLogin page
         let logoutReason = error
             ? { error }
             : { success: "User logged out successfully." };
-        setAuthProvider("");
         updateSession(null);
         navigate("/login", {
             state: {
@@ -134,33 +137,6 @@ export function AuthProvider(props) {
         });
     }
 
-    function oAuthLogout(){
-        try {
-            let response = api.oauthGetLogoutLink(authProvider, session.token);
-            console.log(response);
-            window.location.href = response;
-        } catch(e) {
-            console.log(e);
-        }
-    }
-
-    function logout(error) {
-        if (error){
-            _logout(error);
-            return;
-        }
-        if (authProvider === ""){
-            _logout(error);
-            return;
-        }
-        let choice = window.confirm("Do you want to logout from OAuth, too?");
-        if (choice) {
-            oAuthLogout();
-            _logout(error);
-        }
-        _logout(error);
-    }
-
     function hasCapability(capability) {
         return isAuthenticated && session.capabilities.indexOf(capability) >= 0;
     }
@@ -250,8 +226,8 @@ export function AuthProvider(props) {
                 hasCapability,
                 refreshSession,
                 updateSession,
-                updateProvider,
                 logout,
+                oAuthLogout,
             }}
         >
             {props.children}
diff --git a/mwdb/web/src/components/Navigation.js b/mwdb/web/src/components/Navigation.js
index d35207d86..327c72d2d 100644
--- a/mwdb/web/src/components/Navigation.js
+++ b/mwdb/web/src/components/Navigation.js
@@ -1,4 +1,4 @@
-import React, { useContext } from "react";
+import React, { useContext, useState } from "react";
 import { Link } from "react-router-dom";
 
 import {
@@ -14,7 +14,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { AuthContext, Capability } from "@mwdb-web/commons/auth";
 import { ConfigContext } from "@mwdb-web/commons/config";
 import { fromPlugin, Extendable } from "@mwdb-web/commons/extensions";
-import { NavDropdown } from "@mwdb-web/commons/ui";
+import { ConfirmationModal, NavDropdown } from "@mwdb-web/commons/ui";
 import { useRemote, useRemotePath } from "@mwdb-web/commons/remotes";
 
 import logo from "../assets/logo.png";
@@ -89,6 +89,7 @@ export default function Navigation() {
     const config = useContext(ConfigContext);
     const remote = useRemote();
     const remotePath = useRemotePath();
+    const [isModalOpen, setIsModalOpen] = useState(false);
     const navItems = config.isReady ? (
         <Extendable ident="navbar">
             {auth.isAuthenticated ? (
@@ -270,12 +271,45 @@ export default function Navigation() {
                                                         />
                                                         {auth.user.login}
                                                     </Link>
+                                                    <ConfirmationModal
+                                                        isOpen={isModalOpen}
+                                                        message="Logout"
+                                                        cancelText="Logout only from MWDB"
+                                                        confirmText="Logout from MWDB and OAuth"
+                                                        onRequestClose={() => {
+                                                            setIsModalOpen(
+                                                                false
+                                                            );
+                                                            auth.logout();
+                                                        }}
+                                                        onConfirm={() => {
+                                                            setIsModalOpen(
+                                                                false
+                                                            );
+                                                            auth.oAuthLogout();
+                                                            auth.logout();
+                                                        }}
+                                                        buttonStyle="btn-danger"
+                                                    >
+                                                        You are about to log out
+                                                        from MWDB
+                                                    </ConfirmationModal>
                                                     <a
                                                         className="btn btn-outline-danger"
                                                         href="#logout"
                                                         onClick={(ev) => {
                                                             ev.preventDefault();
-                                                            auth.logout();
+                                                            if (
+                                                                auth.user
+                                                                    .provider ===
+                                                                "mwdb"
+                                                            ) {
+                                                                auth.logout();
+                                                            } else {
+                                                                setIsModalOpen(
+                                                                    true
+                                                                );
+                                                            }
                                                         }}
                                                     >
                                                         Logout
diff --git a/mwdb/web/src/components/OAuth.js b/mwdb/web/src/components/OAuth.js
index 92544b975..d5638cdcb 100644
--- a/mwdb/web/src/components/OAuth.js
+++ b/mwdb/web/src/components/OAuth.js
@@ -119,7 +119,6 @@ export function OAuthAuthorize() {
                 });
             } else {
                 auth.updateSession(response.data);
-                auth.updateProvider(provider);
                 navigate("/", {
                     replace: true,
                 });
diff --git a/mwdb/web/src/components/Settings/Views/OAuthRegister.js b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
index 8e2d1af4c..687fac8d7 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthRegister.js
+++ b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
@@ -56,7 +56,8 @@ export default function OAuthRegister() {
                 values.authorization_endpoint,
                 values.token_endpoint,
                 values.userinfo_endpoint,
-                values.jwks_endpoint
+                values.jwks_endpoint,
+                values.logout_endpoint
             );
             viewAlert.redirectToAlert({
                 target: `/settings/oauth`,
@@ -86,7 +87,8 @@ export default function OAuthRegister() {
         discoverURL,
         viewAlert,
     ]);
-    const autoFillCallback = useCallback(autoFill, [discoverData, values]);
+    // eslint-disable-next-line
+    const autoFillCallback = useCallback(autoFill, [discoverData]);
 
     useEffect(() => {
         getDiscover();

From 46dc8f71e8092d48741863c905a8c2a5ef356b66 Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Wed, 11 Jan 2023 12:51:48 +0100
Subject: [PATCH 08/25] fix bug with discover endpoint

---
 mwdb/web/src/components/Navigation.js                   | 2 +-
 mwdb/web/src/components/Settings/Views/OAuthRegister.js | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/mwdb/web/src/components/Navigation.js b/mwdb/web/src/components/Navigation.js
index 327c72d2d..65c411c14 100644
--- a/mwdb/web/src/components/Navigation.js
+++ b/mwdb/web/src/components/Navigation.js
@@ -275,7 +275,7 @@ export default function Navigation() {
                                                         isOpen={isModalOpen}
                                                         message="Logout"
                                                         cancelText="Logout only from MWDB"
-                                                        confirmText="Logout from MWDB and OAuth"
+                                                        confirmText={`Logout from MWDB and ${auth.user.provider}`}
                                                         onRequestClose={() => {
                                                             setIsModalOpen(
                                                                 false
diff --git a/mwdb/web/src/components/Settings/Views/OAuthRegister.js b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
index 687fac8d7..9be399e4c 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthRegister.js
+++ b/mwdb/web/src/components/Settings/Views/OAuthRegister.js
@@ -34,7 +34,8 @@ export default function OAuthRegister() {
         if (!discoverData) return;
         const keys = Object.keys(values);
         for (const i in keys) {
-            values[keys[i]] = discoverData[keys[i]];
+            if (typeof discoverData[keys[i]] !== "undefined")
+                values[keys[i]] = discoverData[keys[i]];
         }
         if (typeof discoverData["jwks_uri"] === "undefined")
             discoverData["jwks_uri"] = "";

From 88593fad8aeb93f321acc02df030d1349bbdb4a9 Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Wed, 11 Jan 2023 13:55:12 +0100
Subject: [PATCH 09/25] add onCancel to ConfirmationModal

---
 mwdb/web/src/commons/ui/ConfirmationModal.js | 2 +-
 mwdb/web/src/components/Navigation.js        | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/mwdb/web/src/commons/ui/ConfirmationModal.js b/mwdb/web/src/commons/ui/ConfirmationModal.js
index 34fa214f4..d369a31e2 100644
--- a/mwdb/web/src/commons/ui/ConfirmationModal.js
+++ b/mwdb/web/src/commons/ui/ConfirmationModal.js
@@ -44,7 +44,7 @@ export default function ConfirmationModal(props) {
                     type="button"
                     className="btn btn-secondary"
                     data-dismiss="modal"
-                    onClick={props.onRequestClose}
+                    onClick={props.onCancel || props.onRequestClose}
                     disabled={props.disabled}
                 >
                     {props.cancelText || "Close"}
diff --git a/mwdb/web/src/components/Navigation.js b/mwdb/web/src/components/Navigation.js
index 65c411c14..bfc2cbcaf 100644
--- a/mwdb/web/src/components/Navigation.js
+++ b/mwdb/web/src/components/Navigation.js
@@ -276,12 +276,17 @@ export default function Navigation() {
                                                         message="Logout"
                                                         cancelText="Logout only from MWDB"
                                                         confirmText={`Logout from MWDB and ${auth.user.provider}`}
-                                                        onRequestClose={() => {
+                                                        onCancel={() => {
                                                             setIsModalOpen(
                                                                 false
                                                             );
                                                             auth.logout();
                                                         }}
+                                                        onRequestClose={() => {
+                                                            setIsModalOpen(
+                                                                false
+                                                            );
+                                                        }}
                                                         onConfirm={() => {
                                                             setIsModalOpen(
                                                                 false

From 13e0deafa4c550c6cab4d6f873cda70c1adf49b8 Mon Sep 17 00:00:00 2001
From: Repumba <tomasz.trzeciak@nask.pl>
Date: Wed, 18 Jan 2023 11:43:43 +0100
Subject: [PATCH 10/25] Feedback for user the there is no logout_endpoint

---
 mwdb/resources/oauth.py               | 2 +-
 mwdb/web/src/commons/auth/provider.js | 2 ++
 mwdb/web/src/components/Navigation.js | 7 ++++---
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/mwdb/resources/oauth.py b/mwdb/resources/oauth.py
index 052fb984a..b0d6803e3 100644
--- a/mwdb/resources/oauth.py
+++ b/mwdb/resources/oauth.py
@@ -679,7 +679,7 @@ def get(self, provider_name):
         if not provider:
             raise NotFound(f"Requested provider name '{provider_name}' not found")
 
-        if provider.logout_endpoint is None:
+        if not provider.logout_endpoint:
             raise PreconditionFailed(
                 f"end_session_endpoint is not specified for {provider_name}"
             )
diff --git a/mwdb/web/src/commons/auth/provider.js b/mwdb/web/src/commons/auth/provider.js
index 009863603..3c0123561 100644
--- a/mwdb/web/src/commons/auth/provider.js
+++ b/mwdb/web/src/commons/auth/provider.js
@@ -118,8 +118,10 @@ export function AuthProvider(props) {
         try {
             let response = await api.oauthGetLogoutLink(session.provider);
             window.location.href = response.data.url;
+            return null;
         } catch (e) {
             console.log(e);
+            return e.response.data.message;
         }
     }
 
diff --git a/mwdb/web/src/components/Navigation.js b/mwdb/web/src/components/Navigation.js
index bfc2cbcaf..060769fe4 100644
--- a/mwdb/web/src/components/Navigation.js
+++ b/mwdb/web/src/components/Navigation.js
@@ -287,12 +287,13 @@ export default function Navigation() {
                                                                 false
                                                             );
                                                         }}
-                                                        onConfirm={() => {
+                                                        onConfirm={async () => {
                                                             setIsModalOpen(
                                                                 false
                                                             );
-                                                            auth.oAuthLogout();
-                                                            auth.logout();
+                                                            let e =
+                                                                await auth.oAuthLogout();
+                                                            auth.logout(e);
                                                         }}
                                                         buttonStyle="btn-danger"
                                                     >

From 5634fc3c87eb95114f3cc65f353bd7973bd20afc Mon Sep 17 00:00:00 2001
From: Tomek Chytry-Trzeciak <75318192+Repumba@users.noreply.github.com>
Date: Wed, 25 Jan 2023 12:32:48 +0100
Subject: [PATCH 11/25] Update mwdb/resources/oauth.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Paweł Srokosz <pawel.srokosz@cert.pl>
---
 mwdb/resources/oauth.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mwdb/resources/oauth.py b/mwdb/resources/oauth.py
index b0d6803e3..0d7d33ca9 100644
--- a/mwdb/resources/oauth.py
+++ b/mwdb/resources/oauth.py
@@ -680,9 +680,9 @@ def get(self, provider_name):
             raise NotFound(f"Requested provider name '{provider_name}' not found")
 
         if not provider.logout_endpoint:
-            raise PreconditionFailed(
-                f"end_session_endpoint is not specified for {provider_name}"
-            )
+            raise NotFound(
+                f"Logout endpoint is not configured for '{provider_name}'"
+            )```
 
         schema = OpenIDLogoutLinkResponseSchema()
         return schema.dump({"url": provider.logout_endpoint})

From fbd54eb2438c05475cbb6e83ac8d32a004a8dbc6 Mon Sep 17 00:00:00 2001
From: Repumba <t.a.trzeciak@gmail.com>
Date: Tue, 7 Feb 2023 14:26:10 +0100
Subject: [PATCH 12/25] store provider in jwt token

---
 mwdb/app.py                                   |  3 +-
 mwdb/core/search/fields.py                    |  2 +-
 ...3d1497694_create_logout_endpoint_column.py | 12 ++++----
 mwdb/model/user.py                            | 28 +++++++++++++------
 mwdb/resources/auth.py                        |  5 ++--
 mwdb/resources/oauth.py                       | 14 ++++------
 mwdb/resources/remotes.py                     |  4 +--
 mwdb/web/src/components/Navigation.jsx        |  2 +-
 8 files changed, 39 insertions(+), 31 deletions(-)

diff --git a/mwdb/app.py b/mwdb/app.py
index 99375bbb9..22436e928 100755
--- a/mwdb/app.py
+++ b/mwdb/app.py
@@ -167,10 +167,11 @@ def require_auth():
     auth = request.headers.get("Authorization")
 
     g.auth_user = None
+    g.auth_provider = None
 
     if auth and auth.startswith("Bearer "):
         token = auth.split(" ", 1)[1]
-        g.auth_user = User.verify_session_token(token)
+        g.auth_user, g.auth_provider = User.verify_session_token(token)
         # Not a session token? Maybe APIKey token
         if g.auth_user is None:
             g.auth_user = APIKey.verify_token(token)
diff --git a/mwdb/core/search/fields.py b/mwdb/core/search/fields.py
index e70000303..3bf328230 100644
--- a/mwdb/core/search/fields.py
+++ b/mwdb/core/search/fields.py
@@ -173,7 +173,7 @@ class SizeField(BaseField):
     def _get_condition(
         self, expression: Expression, subfields: List[Tuple[str, int]]
     ) -> Any:
-        units = {"B": 1, "KB": 1024, "MB": 1024**2, "GB": 1024**3}
+        units = {"B": 1, "KB": 1024, "MB": 1024 ** 2, "GB": 1024 ** 3}
 
         def parse_size(size):
             if size.isdigit():
diff --git a/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py b/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
index 75599ca24..b7eb772be 100644
--- a/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
+++ b/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
@@ -18,16 +18,16 @@
 def upgrade():
     op.execute(
         """
-    ALTER TABLE public.openid_provider
-    ADD logout_endpoint text;
-    """
+            ALTER TABLE public.openid_provider
+            ADD logout_endpoint text;
+        """
     )
 
 
 def downgrade():
     op.execute(
         """
-        ALTER TABLE public.openid_provider
-        DROP COLUMN logout_endpoint;
-    """
+            ALTER TABLE public.openid_provider
+            DROP COLUMN logout_endpoint;
+        """
     )
diff --git a/mwdb/model/user.py b/mwdb/model/user.py
index 3e3a16a70..0039d3a99 100644
--- a/mwdb/model/user.py
+++ b/mwdb/model/user.py
@@ -154,19 +154,22 @@ def create(
             db.session.commit()
         return user
 
-    def _generate_token(self, fields, scope, expiration):
+    def _generate_token(self, fields, scope, expiration, **kwargs):
         token = generate_token(
-            dict(
-                [("login", self.login)]
-                + [(field, getattr(self, field)) for field in fields]
-            ),
+            {
+                **dict(
+                    [("login", self.login)]
+                    + [(field, getattr(self, field)) for field in fields]
+                ),
+                **kwargs,
+            },
             scope,
             expiration,
         )
         return token
 
     @staticmethod
-    def _verify_token(token, fields, scope):
+    def _verify_token(token, fields, scope, return_provider=False):
         data = verify_token(token, scope)
         if data is None:
             return None
@@ -182,13 +185,17 @@ def _verify_token(token, fields, scope):
             if data[field] != getattr(user_obj, field):
                 return None
 
-        return user_obj
+        if return_provider:
+            return user_obj, data["provider"]
+        else:
+            return user_obj
 
-    def generate_session_token(self):
+    def generate_session_token(self, provider=None):
         return self._generate_token(
             ["password_ver", "identity_ver"],
             scope=AuthScope.session,
             expiration=24 * 3600,
+            provider=provider,
         )
 
     def generate_set_password_token(self):
@@ -201,7 +208,10 @@ def generate_set_password_token(self):
     @staticmethod
     def verify_session_token(token):
         return User._verify_token(
-            token, ["password_ver", "identity_ver"], scope=AuthScope.session
+            token,
+            ["password_ver", "identity_ver"],
+            scope=AuthScope.session,
+            return_provider=True,
         )
 
     @staticmethod
diff --git a/mwdb/resources/auth.py b/mwdb/resources/auth.py
index 258da1c46..363f8e17c 100644
--- a/mwdb/resources/auth.py
+++ b/mwdb/resources/auth.py
@@ -109,7 +109,6 @@ def post(self):
 
         user.logged_on = datetime.datetime.now()
         db.session.commit()
-        g.auth_provider = "mwdb"
 
         auth_token = user.generate_session_token()
 
@@ -121,7 +120,7 @@ def post(self):
                 "token": auth_token,
                 "capabilities": user.capabilities,
                 "groups": user.group_names,
-                "provider": g.auth_provider,
+                "provider": None,
             }
         )
 
@@ -424,7 +423,7 @@ def post(self):
         return schema.dump(
             {
                 "login": user.login,
-                "token": user.generate_session_token(),
+                "token": user.generate_session_token(provider=g.auth_provider),
                 "capabilities": user.capabilities,
                 "groups": user.group_names,
                 "provider": g.auth_provider,
diff --git a/mwdb/resources/oauth.py b/mwdb/resources/oauth.py
index 0d7d33ca9..de3fe74eb 100644
--- a/mwdb/resources/oauth.py
+++ b/mwdb/resources/oauth.py
@@ -5,7 +5,7 @@
 from flask_restful import Resource
 from marshmallow import ValidationError
 from sqlalchemy import and_, exists, or_
-from werkzeug.exceptions import Conflict, Forbidden, NotFound, PreconditionFailed
+from werkzeug.exceptions import Conflict, Forbidden, NotFound
 
 from mwdb.core.capabilities import Capabilities
 from mwdb.core.config import app_config
@@ -407,13 +407,12 @@ def post(self, provider_name):
         user.logged_on = datetime.datetime.now()
         db.session.commit()
 
-        auth_token = user.generate_session_token()
+        auth_token = user.generate_session_token(provider=provider_name)
 
         logger.info(
             "User logged in via OpenID Provider",
             extra={"login": user.login, "provider": provider_name},
         )
-        g.auth_provider = provider_name
         schema = AuthSuccessResponseSchema()
         return schema.dump(
             {
@@ -421,7 +420,7 @@ def post(self, provider_name):
                 "token": auth_token,
                 "capabilities": user.capabilities,
                 "groups": user.group_names,
-                "provider": g.auth_provider,
+                "provider": provider_name,
             }
         )
 
@@ -501,7 +500,7 @@ def post(self, provider_name):
         user.logged_on = datetime.datetime.now()
         db.session.commit()
 
-        auth_token = user.generate_session_token()
+        auth_token = user.generate_session_token(provider=provider_name)
 
         user_private_group = next(
             (g for g in user.groups if g.name == user.login), None
@@ -521,6 +520,7 @@ def post(self, provider_name):
                 "token": auth_token,
                 "capabilities": user.capabilities,
                 "groups": user.group_names,
+                "provider": provider_name,
             }
         )
 
@@ -680,9 +680,7 @@ def get(self, provider_name):
             raise NotFound(f"Requested provider name '{provider_name}' not found")
 
         if not provider.logout_endpoint:
-            raise NotFound(
-                f"Logout endpoint is not configured for '{provider_name}'"
-            )```
+            raise NotFound(f"Logout endpoint is not configured for '{provider_name}'")
 
         schema = OpenIDLogoutLinkResponseSchema()
         return schema.dump({"url": provider.logout_endpoint})
diff --git a/mwdb/resources/remotes.py b/mwdb/resources/remotes.py
index 2cc21dbe0..1e3d24905 100644
--- a/mwdb/resources/remotes.py
+++ b/mwdb/resources/remotes.py
@@ -95,7 +95,7 @@ def do_request(self, method, remote_name, remote_path):
             method, remote_path, params=request.args, data=request.data, stream=True
         )
         return Response(
-            response.iter_content(chunk_size=2**16),
+            response.iter_content(chunk_size=2 ** 16),
             mimetype=response.headers["content-type"],
         )
 
@@ -201,7 +201,7 @@ def post(self, remote_name, identifier):
         )
         share_with = get_shares_for_upload(options["upload_as"])
         with SpooledTemporaryFile() as file_stream:
-            for chunk in response.iter_content(chunk_size=2**16):
+            for chunk in response.iter_content(chunk_size=2 ** 16):
                 file_stream.write(chunk)
             file_stream.seek(0)
             try:
diff --git a/mwdb/web/src/components/Navigation.jsx b/mwdb/web/src/components/Navigation.jsx
index 6ad13c9fd..e1779334a 100644
--- a/mwdb/web/src/components/Navigation.jsx
+++ b/mwdb/web/src/components/Navigation.jsx
@@ -309,7 +309,7 @@ export default function Navigation() {
                                                             if (
                                                                 auth.user
                                                                     .provider ===
-                                                                "mwdb"
+                                                                null
                                                             ) {
                                                                 auth.logout();
                                                             } else {

From 7db6f2c87c1d38a8e8182155426dadfea359c0fb Mon Sep 17 00:00:00 2001
From: Repumba <t.a.trzeciak@gmail.com>
Date: Tue, 7 Feb 2023 15:49:43 +0100
Subject: [PATCH 13/25] formatting

---
 mwdb/core/search/fields.py | 2 +-
 mwdb/resources/remotes.py  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mwdb/core/search/fields.py b/mwdb/core/search/fields.py
index 3bf328230..e70000303 100644
--- a/mwdb/core/search/fields.py
+++ b/mwdb/core/search/fields.py
@@ -173,7 +173,7 @@ class SizeField(BaseField):
     def _get_condition(
         self, expression: Expression, subfields: List[Tuple[str, int]]
     ) -> Any:
-        units = {"B": 1, "KB": 1024, "MB": 1024 ** 2, "GB": 1024 ** 3}
+        units = {"B": 1, "KB": 1024, "MB": 1024**2, "GB": 1024**3}
 
         def parse_size(size):
             if size.isdigit():
diff --git a/mwdb/resources/remotes.py b/mwdb/resources/remotes.py
index 1e3d24905..2cc21dbe0 100644
--- a/mwdb/resources/remotes.py
+++ b/mwdb/resources/remotes.py
@@ -95,7 +95,7 @@ def do_request(self, method, remote_name, remote_path):
             method, remote_path, params=request.args, data=request.data, stream=True
         )
         return Response(
-            response.iter_content(chunk_size=2 ** 16),
+            response.iter_content(chunk_size=2**16),
             mimetype=response.headers["content-type"],
         )
 
@@ -201,7 +201,7 @@ def post(self, remote_name, identifier):
         )
         share_with = get_shares_for_upload(options["upload_as"])
         with SpooledTemporaryFile() as file_stream:
-            for chunk in response.iter_content(chunk_size=2 ** 16):
+            for chunk in response.iter_content(chunk_size=2**16):
                 file_stream.write(chunk)
             file_stream.seek(0)
             try:

From a8e0132212e5314d5cc41d69ed38cca40e04790b Mon Sep 17 00:00:00 2001
From: Repumba <t.a.trzeciak@gmail.com>
Date: Tue, 7 Feb 2023 17:24:28 +0100
Subject: [PATCH 14/25] bug fixes

---
 mwdb/app.py        |  4 +++-
 mwdb/core/auth.py  | 24 ++++++++++++++++++++++++
 mwdb/model/user.py |  8 ++------
 3 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/mwdb/app.py b/mwdb/app.py
index 22436e928..1e6642b33 100755
--- a/mwdb/app.py
+++ b/mwdb/app.py
@@ -6,6 +6,7 @@
 from werkzeug.routing import BaseConverter
 
 from mwdb.core.app import api, app
+from mwdb.core.auth import get_provider_from_token
 from mwdb.core.config import app_config
 from mwdb.core.log import getLogger, setup_logger
 from mwdb.core.plugins import PluginAppContext, load_plugins
@@ -171,7 +172,8 @@ def require_auth():
 
     if auth and auth.startswith("Bearer "):
         token = auth.split(" ", 1)[1]
-        g.auth_user, g.auth_provider = User.verify_session_token(token)
+        g.auth_user = User.verify_session_token(token)
+        g.auth_provider = get_provider_from_token(token)
         # Not a session token? Maybe APIKey token
         if g.auth_user is None:
             g.auth_user = APIKey.verify_token(token)
diff --git a/mwdb/core/auth.py b/mwdb/core/auth.py
index ab3f89ac2..3760d808f 100644
--- a/mwdb/core/auth.py
+++ b/mwdb/core/auth.py
@@ -52,6 +52,30 @@ def verify_token(token: str, scope: AuthScope) -> Any:
     return data
 
 
+def get_provider_from_token(token: str, scope=AuthScope.session) -> Any:
+    try:
+        data = jwt.decode(
+            token,
+            key=app_config.mwdb.secret_key,
+            algorithms=["HS512"],
+            audience=app_config.mwdb.base_url,
+            options={"verify_aud": True},
+        )
+        if data.get("scope") != scope.value:
+            return None
+
+        if scope.value != "download_file" and "sub" not in data:
+            return None
+
+    except jwt.InvalidTokenError:
+        return None
+
+    if "provider" in data:
+        return data["provider"]
+    else:
+        return None
+
+
 def verify_legacy_token(token: str, required_fields: Set[str]) -> Any:
     try:
         data = jwt.decode(
diff --git a/mwdb/model/user.py b/mwdb/model/user.py
index 0039d3a99..a43c9a071 100644
--- a/mwdb/model/user.py
+++ b/mwdb/model/user.py
@@ -169,7 +169,7 @@ def _generate_token(self, fields, scope, expiration, **kwargs):
         return token
 
     @staticmethod
-    def _verify_token(token, fields, scope, return_provider=False):
+    def _verify_token(token, fields, scope):
         data = verify_token(token, scope)
         if data is None:
             return None
@@ -185,10 +185,7 @@ def _verify_token(token, fields, scope, return_provider=False):
             if data[field] != getattr(user_obj, field):
                 return None
 
-        if return_provider:
-            return user_obj, data["provider"]
-        else:
-            return user_obj
+        return user_obj
 
     def generate_session_token(self, provider=None):
         return self._generate_token(
@@ -211,7 +208,6 @@ def verify_session_token(token):
             token,
             ["password_ver", "identity_ver"],
             scope=AuthScope.session,
-            return_provider=True,
         )
 
     @staticmethod

From f08d313ec8fa68bed6eac3bc0c162176f2d9e7c1 Mon Sep 17 00:00:00 2001
From: Repumba <t.a.trzeciak@gmail.com>
Date: Tue, 7 Feb 2023 20:33:07 +0100
Subject: [PATCH 15/25] update revision number (head)

---
 .../versions/bd93d1497694_create_logout_endpoint_column.py    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py b/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
index b7eb772be..b503d4e83 100644
--- a/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
+++ b/mwdb/model/migrations/versions/bd93d1497694_create_logout_endpoint_column.py
@@ -1,7 +1,7 @@
 """create_logout_endpoint_column
 
 Revision ID: bd93d1497694
-Revises: 25ea40a798ac
+Revises: 717b5da712b8
 Create Date: 2023-01-04 17:14:22.271856
 
 """
@@ -10,7 +10,7 @@
 
 # revision identifiers, used by Alembic.
 revision = "bd93d1497694"
-down_revision = "25ea40a798ac"
+down_revision = "717b5da712b8"
 branch_labels = None
 depends_on = None
 

From 284c090ba5cee91a6b6ef4ad2698f4a7576d6b57 Mon Sep 17 00:00:00 2001
From: Repumba <t.a.trzeciak@gmail.com>
Date: Wed, 8 Feb 2023 10:55:07 +0100
Subject: [PATCH 16/25] remove old condition, develop oidc init

---
 dev/oidc/init.py                       | 28 ++++++++++++++++++++++++++
 mwdb/resources/oauth.py                |  3 ---
 mwdb/web/src/components/Navigation.jsx |  5 ++++-
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/dev/oidc/init.py b/dev/oidc/init.py
index a1ff4a48b..b4ef6d019 100644
--- a/dev/oidc/init.py
+++ b/dev/oidc/init.py
@@ -87,6 +87,34 @@
     "Content-Type": "application/json",
 }
 
+print("[+] Creating user foo in MWDB with password foofoofoo")
+
+response = mwdb_session.post(
+    "http://127.0.0.1/api/user/foo",
+    json={
+        "email": "foo@mwdb.local",
+        "feed_quality": "high",
+        "send_email": False,
+        "additional_info": "string"
+    }
+)
+response.raise_for_status()
+
+response = mwdb_session.get(
+    "http://127.0.0.1/api/user/foo/change_password"
+)
+response.raise_for_status()
+password_token = response.json()['token']
+
+response = requests.post(
+    "http://127.0.0.1/api/auth/change_password",
+    json={
+        "password": "foofoofoo",
+        "token": password_token
+    }
+)
+response.raise_for_status()
+
 print("[+] Registering new OIDC provider")
 
 response = mwdb_session.post(
diff --git a/mwdb/resources/oauth.py b/mwdb/resources/oauth.py
index de3fe74eb..4b7d11a03 100644
--- a/mwdb/resources/oauth.py
+++ b/mwdb/resources/oauth.py
@@ -105,9 +105,6 @@ def post(self):
         if obj["logout_endpoint"]:
             logout_endpoint = obj["logout_endpoint"]
 
-        if obj["name"] == "mwdb":
-            raise Conflict("This name is restricted")
-
         if db.session.query(
             exists().where(and_(OpenIDProvider.name == obj["name"]))
         ).scalar():
diff --git a/mwdb/web/src/components/Navigation.jsx b/mwdb/web/src/components/Navigation.jsx
index e1779334a..78b5cc7ca 100644
--- a/mwdb/web/src/components/Navigation.jsx
+++ b/mwdb/web/src/components/Navigation.jsx
@@ -309,7 +309,10 @@ export default function Navigation() {
                                                             if (
                                                                 auth.user
                                                                     .provider ===
-                                                                null
+                                                                    null ||
+                                                                auth.user
+                                                                    .provider ===
+                                                                    undefined
                                                             ) {
                                                                 auth.logout();
                                                             } else {

From da6fa028ad70309e9e06ab43f9c4f7a302a29855 Mon Sep 17 00:00:00 2001
From: Tomek Chytry-Trzeciak <75318192+Repumba@users.noreply.github.com>
Date: Thu, 16 Feb 2023 10:36:03 +0100
Subject: [PATCH 17/25] Update mwdb/model/user.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Paweł Srokosz <pawel.srokosz@cert.pl>
---
 mwdb/model/user.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mwdb/model/user.py b/mwdb/model/user.py
index a43c9a071..08348e448 100644
--- a/mwdb/model/user.py
+++ b/mwdb/model/user.py
@@ -154,7 +154,10 @@ def create(
             db.session.commit()
         return user
 
-    def _generate_token(self, fields, scope, expiration, **kwargs):
+    def _generate_token(self, user_fields, scope, expiration, **extra_fields):
+        token_data = {"login": self.login, **extra_fields}
+        for field in user_fields:
+           token_data[field] = getattr(self, field)
         token = generate_token(
             {
                 **dict(

From 1d83339051c7df0c62c38677be626982be5557f7 Mon Sep 17 00:00:00 2001
From: Tomek Chytry-Trzeciak <75318192+Repumba@users.noreply.github.com>
Date: Thu, 16 Feb 2023 10:36:19 +0100
Subject: [PATCH 18/25] Update mwdb/model/user.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Paweł Srokosz <pawel.srokosz@cert.pl>
---
 mwdb/model/user.py | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/mwdb/model/user.py b/mwdb/model/user.py
index 08348e448..4e9b114ba 100644
--- a/mwdb/model/user.py
+++ b/mwdb/model/user.py
@@ -159,13 +159,7 @@ def _generate_token(self, user_fields, scope, expiration, **extra_fields):
         for field in user_fields:
            token_data[field] = getattr(self, field)
         token = generate_token(
-            {
-                **dict(
-                    [("login", self.login)]
-                    + [(field, getattr(self, field)) for field in fields]
-                ),
-                **kwargs,
-            },
+            token_data,
             scope,
             expiration,
         )

From 8ae669270f7df5aa1d7f93d0c51ce084f73faf4a Mon Sep 17 00:00:00 2001
From: Tomek Chytry-Trzeciak <75318192+Repumba@users.noreply.github.com>
Date: Thu, 16 Feb 2023 10:36:37 +0100
Subject: [PATCH 19/25] Update mwdb/web/src/components/Navigation.jsx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Paweł Srokosz <pawel.srokosz@cert.pl>
---
 mwdb/web/src/components/Navigation.jsx | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/mwdb/web/src/components/Navigation.jsx b/mwdb/web/src/components/Navigation.jsx
index 78b5cc7ca..2a5267cab 100644
--- a/mwdb/web/src/components/Navigation.jsx
+++ b/mwdb/web/src/components/Navigation.jsx
@@ -307,12 +307,7 @@ export default function Navigation() {
                                                         onClick={(ev) => {
                                                             ev.preventDefault();
                                                             if (
-                                                                auth.user
-                                                                    .provider ===
-                                                                    null ||
-                                                                auth.user
-                                                                    .provider ===
-                                                                    undefined
+                                                                !auth.user.provider
                                                             ) {
                                                                 auth.logout();
                                                             } else {

From dad5c0e8d453aa58fe0c7a36578efb01b59bc558 Mon Sep 17 00:00:00 2001
From: Tomek Chytry-Trzeciak <75318192+Repumba@users.noreply.github.com>
Date: Thu, 16 Feb 2023 10:44:45 +0100
Subject: [PATCH 20/25] Update mwdb/model/user.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Paweł Srokosz <pawel.srokosz@cert.pl>
---
 mwdb/model/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mwdb/model/user.py b/mwdb/model/user.py
index 4e9b114ba..20085f463 100644
--- a/mwdb/model/user.py
+++ b/mwdb/model/user.py
@@ -182,7 +182,7 @@ def _verify_token(token, fields, scope):
             if data[field] != getattr(user_obj, field):
                 return None
 
-        return user_obj
+        return user_obj, data.get("provider")
 
     def generate_session_token(self, provider=None):
         return self._generate_token(

From 7d60d8ed7eafa914c6f12ff4cb3abe19bdc6a118 Mon Sep 17 00:00:00 2001
From: Tomek Chytry-Trzeciak <75318192+Repumba@users.noreply.github.com>
Date: Thu, 16 Feb 2023 10:44:56 +0100
Subject: [PATCH 21/25] Update mwdb/core/auth.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Paweł Srokosz <pawel.srokosz@cert.pl>
---
 mwdb/core/auth.py | 24 ------------------------
 1 file changed, 24 deletions(-)

diff --git a/mwdb/core/auth.py b/mwdb/core/auth.py
index 3760d808f..ab3f89ac2 100644
--- a/mwdb/core/auth.py
+++ b/mwdb/core/auth.py
@@ -52,30 +52,6 @@ def verify_token(token: str, scope: AuthScope) -> Any:
     return data
 
 
-def get_provider_from_token(token: str, scope=AuthScope.session) -> Any:
-    try:
-        data = jwt.decode(
-            token,
-            key=app_config.mwdb.secret_key,
-            algorithms=["HS512"],
-            audience=app_config.mwdb.base_url,
-            options={"verify_aud": True},
-        )
-        if data.get("scope") != scope.value:
-            return None
-
-        if scope.value != "download_file" and "sub" not in data:
-            return None
-
-    except jwt.InvalidTokenError:
-        return None
-
-    if "provider" in data:
-        return data["provider"]
-    else:
-        return None
-
-
 def verify_legacy_token(token: str, required_fields: Set[str]) -> Any:
     try:
         data = jwt.decode(

From 035774445d36979ad21874ac70330653c7f94bb3 Mon Sep 17 00:00:00 2001
From: Repumba <t.a.trzeciak@gmail.com>
Date: Thu, 16 Feb 2023 10:55:09 +0100
Subject: [PATCH 22/25] apply suggestions

---
 mwdb/app.py                            |  4 +---
 mwdb/model/user.py                     | 10 +++++-----
 mwdb/resources/auth.py                 |  3 ++-
 mwdb/web/src/components/Navigation.jsx |  3 ++-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/mwdb/app.py b/mwdb/app.py
index 1e6642b33..22436e928 100755
--- a/mwdb/app.py
+++ b/mwdb/app.py
@@ -6,7 +6,6 @@
 from werkzeug.routing import BaseConverter
 
 from mwdb.core.app import api, app
-from mwdb.core.auth import get_provider_from_token
 from mwdb.core.config import app_config
 from mwdb.core.log import getLogger, setup_logger
 from mwdb.core.plugins import PluginAppContext, load_plugins
@@ -172,8 +171,7 @@ def require_auth():
 
     if auth and auth.startswith("Bearer "):
         token = auth.split(" ", 1)[1]
-        g.auth_user = User.verify_session_token(token)
-        g.auth_provider = get_provider_from_token(token)
+        g.auth_user, g.auth_provider = User.verify_session_token(token)
         # Not a session token? Maybe APIKey token
         if g.auth_user is None:
             g.auth_user = APIKey.verify_token(token)
diff --git a/mwdb/model/user.py b/mwdb/model/user.py
index 20085f463..837712d35 100644
--- a/mwdb/model/user.py
+++ b/mwdb/model/user.py
@@ -157,7 +157,7 @@ def create(
     def _generate_token(self, user_fields, scope, expiration, **extra_fields):
         token_data = {"login": self.login, **extra_fields}
         for field in user_fields:
-           token_data[field] = getattr(self, field)
+            token_data[field] = getattr(self, field)
         token = generate_token(
             token_data,
             scope,
@@ -169,18 +169,18 @@ def _generate_token(self, user_fields, scope, expiration, **extra_fields):
     def _verify_token(token, fields, scope):
         data = verify_token(token, scope)
         if data is None:
-            return None
+            return None, None
 
         try:
             user_obj = User.query.filter(User.login == data["sub"]).one()
         except NoResultFound:
-            return None
+            return None, None
 
         for field in fields:
             if field not in data:
-                return None
+                return None, None
             if data[field] != getattr(user_obj, field):
-                return None
+                return None, None
 
         return user_obj, data.get("provider")
 
diff --git a/mwdb/resources/auth.py b/mwdb/resources/auth.py
index 363f8e17c..2d287ce8f 100644
--- a/mwdb/resources/auth.py
+++ b/mwdb/resources/auth.py
@@ -236,7 +236,8 @@ def post(self):
         schema = AuthSetPasswordRequestSchema()
         obj = loads_schema(request.get_data(as_text=True), schema)
 
-        user = User.verify_set_password_token(obj["token"])
+        # verify_set_password_token return tuple (user_obj, auth_provider)
+        user = User.verify_set_password_token(obj["token"])[0]
         if user is None:
             raise Forbidden("Set password token expired")
 
diff --git a/mwdb/web/src/components/Navigation.jsx b/mwdb/web/src/components/Navigation.jsx
index 2a5267cab..e711f0c0d 100644
--- a/mwdb/web/src/components/Navigation.jsx
+++ b/mwdb/web/src/components/Navigation.jsx
@@ -307,7 +307,8 @@ export default function Navigation() {
                                                         onClick={(ev) => {
                                                             ev.preventDefault();
                                                             if (
-                                                                !auth.user.provider
+                                                                !auth.user
+                                                                    .provider
                                                             ) {
                                                                 auth.logout();
                                                             } else {

From 2f1e42a912fff64a8f8b9ae9e76c133b19917f49 Mon Sep 17 00:00:00 2001
From: Repumba <t.a.trzeciak@gmail.com>
Date: Thu, 16 Feb 2023 11:16:34 +0100
Subject: [PATCH 23/25] remove discovery in oidc register form

---
 .../Settings/Views/OAuthRegister.jsx          | 96 +------------------
 1 file changed, 2 insertions(+), 94 deletions(-)

diff --git a/mwdb/web/src/components/Settings/Views/OAuthRegister.jsx b/mwdb/web/src/components/Settings/Views/OAuthRegister.jsx
index a5aacccf0..b8f32482c 100644
--- a/mwdb/web/src/components/Settings/Views/OAuthRegister.jsx
+++ b/mwdb/web/src/components/Settings/Views/OAuthRegister.jsx
@@ -1,14 +1,12 @@
-import React, { useContext, useState, useCallback, useEffect } from "react";
+import React, { useContext, useState } from "react";
 
 import { APIContext } from "@mwdb-web/commons/api";
 
-import { ShowIf, useViewAlert } from "@mwdb-web/commons/ui";
+import { useViewAlert } from "@mwdb-web/commons/ui";
 
 export default function OAuthRegister() {
     const api = useContext(APIContext);
     const viewAlert = useViewAlert();
-    const [discoverData, setDiscoverData] = useState();
-    const [discoverURL, setDiscoverURL] = useState();
     const [values, setValues] = useState({
         userinfo_endpoint: "",
         jwks_endpoint: "",
@@ -30,24 +28,6 @@ export default function OAuthRegister() {
         }));
     }
 
-    function autoFill() {
-        if (!discoverData) return;
-        const keys = Object.keys(values);
-        for (const i in keys) {
-            if (typeof discoverData[keys[i]] !== "undefined")
-                values[keys[i]] = discoverData[keys[i]];
-        }
-        if (typeof discoverData["jwks_uri"] === "undefined")
-            discoverData["jwks_uri"] = "";
-
-        if (typeof discoverData["end_session_endpoint"] === "undefined")
-            discoverData["end_session_endpoint"] = "";
-
-        values["jwks_endpoint"] = discoverData["jwks_uri"];
-        values["logout_endpoint"] = discoverData["end_session_endpoint"];
-        setDiscoverURL("");
-    }
-
     async function registerProvider() {
         try {
             await api.oauthRegisterProvider(
@@ -69,81 +49,9 @@ export default function OAuthRegister() {
         }
     }
 
-    async function updateDiscoverData() {
-        try {
-            var req = new Request(discoverURL);
-            fetch(req)
-                .then(async (response) => {
-                    return await response.json();
-                })
-                .then((x) => {
-                    setDiscoverData(x);
-                });
-        } catch (e) {
-            viewAlert.setAlert({ e });
-        }
-    }
-
-    const getDiscover = useCallback(updateDiscoverData, [
-        discoverURL,
-        viewAlert,
-    ]);
-    // eslint-disable-next-line
-    const autoFillCallback = useCallback(autoFill, [discoverData]);
-
-    useEffect(() => {
-        getDiscover();
-    }, [getDiscover]);
-    useEffect(() => {
-        autoFillCallback();
-    }, [autoFillCallback]);
-
     return (
         <div className="container">
             <h2>Register new identity provider</h2>
-            <form
-                onSubmit={(e) => {
-                    e.preventDefault();
-                    setDiscoverURL(e.target.discover_endpoint.value);
-                }}
-            >
-                <div className="form-group">
-                    <label>Discover endpoint</label>
-                    <input
-                        type="text"
-                        name="discover_endpoint"
-                        className="form-control"
-                        required
-                    />
-                </div>
-                <div className="form-group">
-                    <input
-                        type="submit"
-                        value="Get data"
-                        className="btn btn-secondary"
-                    />
-                </div>
-                <ShowIf condition={discoverData}>
-                    <textarea
-                        type="text"
-                        rows="10"
-                        width="100%"
-                        className="form-control"
-                        value={JSON.stringify(discoverData, null, 4)}
-                        disabled
-                    />
-                    <button
-                        className="btn btn-secondary"
-                        onClick={() => {
-                            setDiscoverURL("");
-                            setDiscoverData(null);
-                        }}
-                    >
-                        Hide output
-                    </button>
-                </ShowIf>
-            </form>
-
             <form
                 onSubmit={(ev) => {
                     ev.preventDefault();

From d32ca78183f63d1ffde7964f592bb6ba27840d8f Mon Sep 17 00:00:00 2001
From: psrok1 <pawel.srokosz@cert.pl>
Date: Mon, 20 Feb 2023 13:35:34 +0100
Subject: [PATCH 24/25] Avoid (None, None) in returned value

---
 mwdb/app.py        |  4 +++-
 mwdb/model/user.py | 18 ++++++++++--------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/mwdb/app.py b/mwdb/app.py
index 22436e928..c68d80fd5 100755
--- a/mwdb/app.py
+++ b/mwdb/app.py
@@ -171,7 +171,9 @@ def require_auth():
 
     if auth and auth.startswith("Bearer "):
         token = auth.split(" ", 1)[1]
-        g.auth_user, g.auth_provider = User.verify_session_token(token)
+        result = User.verify_session_token(token)
+        if result is not None:
+            g.auth_user, g.auth_provider = result
         # Not a session token? Maybe APIKey token
         if g.auth_user is None:
             g.auth_user = APIKey.verify_token(token)
diff --git a/mwdb/model/user.py b/mwdb/model/user.py
index 837712d35..dcb6c4993 100644
--- a/mwdb/model/user.py
+++ b/mwdb/model/user.py
@@ -1,5 +1,6 @@
 import datetime
 import os
+from typing import Optional, Tuple
 
 import bcrypt
 from flask import g
@@ -166,21 +167,21 @@ def _generate_token(self, user_fields, scope, expiration, **extra_fields):
         return token
 
     @staticmethod
-    def _verify_token(token, fields, scope):
+    def _verify_token(token, fields, scope) -> Optional[Tuple["User", Optional[str]]]:
         data = verify_token(token, scope)
         if data is None:
-            return None, None
+            return None
 
         try:
             user_obj = User.query.filter(User.login == data["sub"]).one()
         except NoResultFound:
-            return None, None
+            return None
 
         for field in fields:
             if field not in data:
-                return None, None
+                return None
             if data[field] != getattr(user_obj, field):
-                return None, None
+                return None
 
         return user_obj, data.get("provider")
 
@@ -200,7 +201,7 @@ def generate_set_password_token(self):
         )
 
     @staticmethod
-    def verify_session_token(token):
+    def verify_session_token(token) -> Optional[Tuple["User", Optional[str]]]:
         return User._verify_token(
             token,
             ["password_ver", "identity_ver"],
@@ -208,12 +209,13 @@ def verify_session_token(token):
         )
 
     @staticmethod
-    def verify_set_password_token(token):
-        return User._verify_token(
+    def verify_set_password_token(token) -> Optional["User"]:
+        result = User._verify_token(
             token,
             ["password_ver"],
             scope=AuthScope.set_password,
         )
+        return None if result is None else result[0]
 
     @staticmethod
     def verify_legacy_token(token):

From 0173bee412ad1973cd9685047b7d9f24ddaea88b Mon Sep 17 00:00:00 2001
From: psrok1 <pawel.srokosz@cert.pl>
Date: Mon, 20 Feb 2023 13:49:18 +0100
Subject: [PATCH 25/25] Fix password set endpoint

---
 mwdb/resources/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mwdb/resources/auth.py b/mwdb/resources/auth.py
index 2d287ce8f..72a36c8b1 100644
--- a/mwdb/resources/auth.py
+++ b/mwdb/resources/auth.py
@@ -237,7 +237,7 @@ def post(self):
         obj = loads_schema(request.get_data(as_text=True), schema)
 
         # verify_set_password_token return tuple (user_obj, auth_provider)
-        user = User.verify_set_password_token(obj["token"])[0]
+        user = User.verify_set_password_token(obj["token"])
         if user is None:
             raise Forbidden("Set password token expired")