Commit 357dba87 authored by Frédéric Mangano-Tarumi's avatar Frédéric Mangano-Tarumi Committed by Lukas Fleischer
Browse files

Save id_token for the SSO logout

As far as I can see, Keycloak ignores it entirely. I can login in as SSO
user A, then disconnect from the SSO directly and reconnect as user B,
but when I disconnect user A from AUR, Keycloak disconnects B even
though AUR passed it an ID token for A.

Signed-off-by: Lukas Fleischer's avatarLukas Fleischer <>
parent 4d0f2d22
......@@ -80,6 +80,11 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
# TODO redirect to the referrer
response.set_cookie(key="AURSID", value=sid, httponly=True,
secure=request.url.scheme == "https")
if "id_token" in token:
# We save the id_token for the SSO logout. It’s not too important
# though, so if we can’t find it, we can live without it.
response.set_cookie(key="SSO_ID_TOKEN", value=token["id_token"], path="/sso/",
httponly=True, secure=request.url.scheme == "https")
return response
# We’ve got a severe integrity violation.
......@@ -87,7 +92,7 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
async def logout():
async def logout(request: Request):
Disconnect the user from the SSO provider, potentially affecting every
other Arch service. AUR logout is performed by `/logout`, before it
......@@ -96,7 +101,13 @@ async def logout():
Based on the OpenID Connect Session Management specification:
id_token = request.cookies.get("SSO_ID_TOKEN")
if not id_token:
return RedirectResponse("/")
metadata = await oauth.sso.load_server_metadata()
# TODO Supply id_token_hint to the end session endpoint.
query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location')})
return RedirectResponse(metadata["end_session_endpoint"] + '?' + query)
query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location'),
'id_token_hint': id_token})
response = RedirectResponse(metadata["end_session_endpoint"] + '?' + query)
response.delete_cookie("SSO_ID_TOKEN", path="/sso/")
return response
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment