Be able to call logout on the OIDC provider

camptocamp · Dec 10, 2024 · 15155ab · 15155ab
1 parent 138f2eb
commit 15155ab
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/doc/integrator/authentication_oidc.rst b/doc/integrator/authentication_oidc.rst
@@ -80,6 +80,8 @@ Other options
 
 ``client_secret``: The secret of the client.
 
+``logout``: If ``true``, the logout is called on the OIDC provider, default is ``false``.
+
 ``trusted_audiences``: The list of trusted audiences, if the audience provided by the id-token is not in
   this list, the ``ID token`` will be rejected.
 

diff --git a/...al_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml b/...al_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml
@@ -241,6 +241,9 @@ mapping:
                 type: seq
                 sequence:
                   - type: str
+              logout:
+                type: bool
+                default: false
               provide_roles:
                 type: bool
                 default: false

diff --git a/geoportal/c2cgeoportal_geoportal/views/login.py b/geoportal/c2cgeoportal_geoportal/views/login.py
@@ -38,6 +38,7 @@
 import pyotp
 import pyramid.request
 import pyramid.response
+import requests
 from pyramid.httpexceptions import (
     HTTPBadRequest,
     HTTPForbidden,
@@ -298,6 +299,17 @@ def logout(self) -> pyramid.response.Response:
                 client.revoke_token(user_info["access_token"])
                 if user_info.get("refresh_token") is not None:
                     client.revoke_token(user_info["refresh_token"])
+            if self.authentication_settings.get("openid_connect", {}).get("logout", False):
+                response = requests.get(  # pylint: disable=missing-timeout
+                    client.initiate_logout(), auth=client.client_auth
+                )
+                if not response.ok:
+                    _LOG.error(
+                        "Error during logout from OpenID Connect, code %s %s:\n%s",
+                        response.status_code,
+                        response.reason,
+                        response.text,
+                    )
 
         headers = forget(self.request)
 

diff --git a/geoportal/tests/functional/test_mapserverproxy.py b/geoportal/tests/functional/test_mapserverproxy.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2013-2023, Camptocamp SA
+# Copyright (c) 2013-2024, Camptocamp SA
 # All rights reserved.
 
 # Redistribution and use in source and binary forms, with or without
@@ -365,7 +365,7 @@ def test_get_feature_info(self):
         self.assertTrue(response.cache_control.public)
         assert response.cache_control.max_age == 10
         self.assertEqual(
-            str(response.cache_control), "max-age=10, must-revalidate, no-cache, no-store, public"
+            str(response.cache_control), "max-age=10, must-revalidate, no-cache, no-store, private"
         )
 
     def test_get_map_unprotected_layer_anonymous(self):