From 15155ab535b8063ddb7cabda4db0a910d087acec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Brunner?= Date: Mon, 9 Dec 2024 16:33:16 +0100 Subject: [PATCH] Be able to call logout on the OIDC provider --- doc/integrator/authentication_oidc.rst | 2 ++ .../geoportal/CONST_config-schema.yaml | 3 +++ geoportal/c2cgeoportal_geoportal/views/login.py | 12 ++++++++++++ geoportal/tests/functional/test_mapserverproxy.py | 4 ++-- 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/doc/integrator/authentication_oidc.rst b/doc/integrator/authentication_oidc.rst index c123ad7e9a..735a575dbb 100644 --- a/doc/integrator/authentication_oidc.rst +++ b/doc/integrator/authentication_oidc.rst @@ -80,6 +80,8 @@ Other options ``client_secret``: The secret of the client. +``logout``: If ``true``, the logout is called on the OIDC provider, default is ``false``. + ``trusted_audiences``: The list of trusted audiences, if the audience provided by the id-token is not in this list, the ``ID token`` will be rejected. diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml b/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml index df925e8ff0..5a59f1f0b8 100644 --- a/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml +++ b/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml @@ -241,6 +241,9 @@ mapping: type: seq sequence: - type: str + logout: + type: bool + default: false provide_roles: type: bool default: false diff --git a/geoportal/c2cgeoportal_geoportal/views/login.py b/geoportal/c2cgeoportal_geoportal/views/login.py index 59bf7ac2e5..0d733cfa68 100644 --- a/geoportal/c2cgeoportal_geoportal/views/login.py +++ b/geoportal/c2cgeoportal_geoportal/views/login.py @@ -38,6 +38,7 @@ import pyotp import pyramid.request import pyramid.response +import requests from pyramid.httpexceptions import ( HTTPBadRequest, HTTPForbidden, @@ -298,6 +299,17 @@ def logout(self) -> pyramid.response.Response: client.revoke_token(user_info["access_token"]) if user_info.get("refresh_token") is not None: client.revoke_token(user_info["refresh_token"]) + if self.authentication_settings.get("openid_connect", {}).get("logout", False): + response = requests.get( # pylint: disable=missing-timeout + client.initiate_logout(), auth=client.client_auth + ) + if not response.ok: + _LOG.error( + "Error during logout from OpenID Connect, code %s %s:\n%s", + response.status_code, + response.reason, + response.text, + ) headers = forget(self.request) diff --git a/geoportal/tests/functional/test_mapserverproxy.py b/geoportal/tests/functional/test_mapserverproxy.py index 4b3e536f5a..9569c3997f 100644 --- a/geoportal/tests/functional/test_mapserverproxy.py +++ b/geoportal/tests/functional/test_mapserverproxy.py @@ -1,4 +1,4 @@ -# Copyright (c) 2013-2023, Camptocamp SA +# Copyright (c) 2013-2024, Camptocamp SA # All rights reserved. # Redistribution and use in source and binary forms, with or without @@ -365,7 +365,7 @@ def test_get_feature_info(self): self.assertTrue(response.cache_control.public) assert response.cache_control.max_age == 10 self.assertEqual( - str(response.cache_control), "max-age=10, must-revalidate, no-cache, no-store, public" + str(response.cache_control), "max-age=10, must-revalidate, no-cache, no-store, private" ) def test_get_map_unprotected_layer_anonymous(self):