Refactor: IdG sign out to use client_id #2700
Conversation
github-actions
bot
added
back-end
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||||||||||||||||||||
|
@lalver1 for this PR, I think we should make sure there isn't any other E.g. there is no need to keep this in the session anymore: https://github.com/cal-itp/benefits/blob/fix/idg-signout/benefits/oauth/views.py#L147 This clean up may have wider implications, but I think its more important to do it all at once vs. leaving some of it for later (e.g. potentially a different release). |
|
Ah thanks for pointing that out @thekaveman! I agree, it makes sense to clean it up all at once in this PR so I'll work on updating it. |
lalver1
force-pushed
the
fix/idg-signout
branch
from
1521171 to
f8c26bb
Compare
There was a problem hiding this comment.
@lalver1 overall this is great! Exactly the kind of low-impact change we talked about 👍
One small request: the terminology in this PR now mixes the concepts of authentication with authorization.
IMO the role of this session variable is closer to authorization; i.e. the user has already proven their identity (authentication) by logging in. We are then (via e.g. the middleware) giving access (or not) to additional resources (e.g. views, the other parts of the flow).
So I think just a simple rename from authentication to authorization and this will be normalized.
|
Thanks @thekaveman! That's a good point, I'll change the session variable name to |
instead of id_token_hint in the future, the id_token may contain more sensitive claims data (e.g. email address) so avoid passing this on the client-side
for deauthorize_redirect
a boolean is stored in the user's session (instead of data associated with the oauth token) that will be used by the enrollment app and by the middleware to mark the user as authorized
the name of the oauth_token property in the session module is updated to oauth_authorized to reflect that a boolean (instead of a string) is now stored in the user's session. several test fixtures and tests are updated given this change in the session module.
lalver1
force-pushed
the
fix/idg-signout
branch
from
f8c26bb to
bf1665d
Compare
I take it from this that there is some reason for keeping the session variable as opposed to removing it. It's not clear to me what that reason would be though since we're not using |
Although we're removing the token, we still need the concept of |
|
I see, it is used in |
Part of #2678
Due to sign out changes in the IdG, in this PR we're replacing
id_token_hintwithclient_idin thedeauthorize_redirecthelper that is used as part of the sign out process.We can review this PR but we should hold off from merging it to
mainsince this functionality has been deployed to IdGdev, but we should coordinate with the IdG team before deploying this to further environments.Reviewing
Set up a login.gov flow, such as Older Adult, and go through the flow until eligibility is confirmed
Click on
Sign out of Login.govand confirm that you can successfully sign out