From e6b72ad9440d77d331378be5cd369091e352ee0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Brunner?= <stephane.brunner@camptocamp.com>
Date: Mon, 9 Dec 2024 16:33:16 +0100
Subject: [PATCH] Be able to call logout on the OIDC provider

---
 doc/integrator/authentication_oidc.rst                 |  2 ++
 .../geoportal/CONST_config-schema.yaml                 |  3 +++
 geoportal/c2cgeoportal_geoportal/views/login.py        | 10 ++++++++++
 3 files changed, 15 insertions(+)

diff --git a/doc/integrator/authentication_oidc.rst b/doc/integrator/authentication_oidc.rst
index c123ad7e9a..735a575dbb 100644
--- a/doc/integrator/authentication_oidc.rst
+++ b/doc/integrator/authentication_oidc.rst
@@ -80,6 +80,8 @@ Other options
 
 ``client_secret``: The secret of the client.
 
+``logout``: If ``true``, the logout is called on the OIDC provider, default is ``false``.
+
 ``trusted_audiences``: The list of trusted audiences, if the audience provided by the id-token is not in
   this list, the ``ID token`` will be rejected.
 
diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml b/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml
index df925e8ff0..5a59f1f0b8 100644
--- a/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml
+++ b/geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml
@@ -241,6 +241,9 @@ mapping:
                 type: seq
                 sequence:
                   - type: str
+              logout:
+                type: bool
+                default: false
               provide_roles:
                 type: bool
                 default: false
diff --git a/geoportal/c2cgeoportal_geoportal/views/login.py b/geoportal/c2cgeoportal_geoportal/views/login.py
index 2d812a3c94..85c0819fc5 100644
--- a/geoportal/c2cgeoportal_geoportal/views/login.py
+++ b/geoportal/c2cgeoportal_geoportal/views/login.py
@@ -38,6 +38,7 @@
 import pyotp
 import pyramid.request
 import pyramid.response
+import requests
 from pyramid.httpexceptions import (
     HTTPBadRequest,
     HTTPForbidden,
@@ -298,6 +299,15 @@ def logout(self) -> pyramid.response.Response:
                 client.revoke_token(user_info["access_token"])
                 if user_info.get("refresh_token") is not None:
                     client.revoke_token(user_info["refresh_token"])
+            if self.authentication_settings.get("openid_connect", {}).get("logout", False):
+                response = requests.get(client.initiate_logout(), auth=client.client_auth)
+                if not response.ok:
+                    _LOG.error(
+                        "Error during logout from OpenID Connect, code %s %s:\n%s",
+                        response.status_code,
+                        response.reason,
+                        response.text,
+                    )
 
         headers = forget(self.request)