From 75151c7275a2f12865c42df36e0233fd605e27cb Mon Sep 17 00:00:00 2001 From: Pierre-Yves Langlois Date: Fri, 5 Aug 2022 10:45:51 -0400 Subject: [PATCH 1/7] Adding logout with redirection --- oauthenticator/generic.py | 2 ++ oauthenticator/oauth2.py | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/oauthenticator/generic.py b/oauthenticator/generic.py index 90cdc146..f4aa76f5 100644 --- a/oauthenticator/generic.py +++ b/oauthenticator/generic.py @@ -134,6 +134,7 @@ def _create_auth_state(token_response, user_data_response): access_token = token_response['access_token'] refresh_token = token_response.get('refresh_token', None) scope = token_response.get('scope', '') + id_token = token_response.get('id_token', None) if isinstance(scope, str): scope = scope.split(' ') @@ -142,6 +143,7 @@ def _create_auth_state(token_response, user_data_response): 'refresh_token': refresh_token, 'oauth_user': user_data_response, 'scope': scope, + 'id_token': id_token, } @staticmethod diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index ef5b70b6..da8d02b2 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -232,7 +232,16 @@ async def handle_logout(self): async def render_logout_page(self): if self.authenticator.logout_redirect_url: - self.redirect(self.authenticator.logout_redirect_url) + user = list(self.users.values())[0] + auth_state = await user.get_auth_state() + redirect_uri = self.authenticator.logout_redirect_url + if auth_state['id_token']: + redirect_uri = f"{redirect_uri}?id_token_hint={auth_state['id_token']}" + if self.authenticator.post_logout_redirect_uri: + redirect_uri = f"{redirect_uri}&post_logout_redirect_uri=" \ + f"{self.authenticator.post_logout_redirect_uri}" + + self.redirect(redirect_uri) return return await super().render_logout_page() @@ -283,6 +292,12 @@ def _userdata_url_default(self): def _logout_redirect_url_default(self): return os.getenv("OAUTH_LOGOUT_REDIRECT_URL", "") + post_logout_redirect_uri = Unicode(config=True, help="The URI where the client is redirected after logout") + + @default("post_logout_redirect_uri") + def _post_logout_redirect_uri(self): + return os.getenv("OAUTH2_POST_LOGOUT_REDIRECT_URI", "") + custom_403_message = Unicode( "Sorry, you are not currently authorized to use this hub. Please contact the hub administrator.", config=True, From 652571225c099a2db283f53b63d9190675459546 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Langlois Date: Fri, 5 Aug 2022 10:57:30 -0400 Subject: [PATCH 2/7] Use the default URI when the user does not exist --- oauthenticator/oauth2.py | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index da8d02b2..9759304b 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -124,7 +124,7 @@ def get_state_cookie(self): """ if self._state_cookie is None: self._state_cookie = ( - self.get_secure_cookie(STATE_COOKIE_NAME) or b'' + self.get_secure_cookie(STATE_COOKIE_NAME) or b'' ).decode('utf8', 'replace') self.clear_cookie(STATE_COOKIE_NAME) return self._state_cookie @@ -232,19 +232,23 @@ async def handle_logout(self): async def render_logout_page(self): if self.authenticator.logout_redirect_url: - user = list(self.users.values())[0] - auth_state = await user.get_auth_state() - redirect_uri = self.authenticator.logout_redirect_url + redirect_uri = await self.get_post_redirect_uri() + self.redirect(redirect_uri) + return + + return await super().render_logout_page() + + async def get_post_redirect_uri(self): + redirect_uri = self.authenticator.logout_redirect_url + user = list(self.users.values()) + if user: + auth_state = await user[0].get_auth_state() if auth_state['id_token']: redirect_uri = f"{redirect_uri}?id_token_hint={auth_state['id_token']}" if self.authenticator.post_logout_redirect_uri: redirect_uri = f"{redirect_uri}&post_logout_redirect_uri=" \ f"{self.authenticator.post_logout_redirect_uri}" - - self.redirect(redirect_uri) - return - - return await super().render_logout_page() + return redirect_uri class OAuthenticator(Authenticator): From 003542121b8de4169b69aadd21c91194ed4c96d0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 14:43:27 +0000 Subject: [PATCH 3/7] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- oauthenticator/oauth2.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index 9759304b..e9afc17a 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -124,7 +124,7 @@ def get_state_cookie(self): """ if self._state_cookie is None: self._state_cookie = ( - self.get_secure_cookie(STATE_COOKIE_NAME) or b'' + self.get_secure_cookie(STATE_COOKIE_NAME) or b'' ).decode('utf8', 'replace') self.clear_cookie(STATE_COOKIE_NAME) return self._state_cookie @@ -246,8 +246,10 @@ async def get_post_redirect_uri(self): if auth_state['id_token']: redirect_uri = f"{redirect_uri}?id_token_hint={auth_state['id_token']}" if self.authenticator.post_logout_redirect_uri: - redirect_uri = f"{redirect_uri}&post_logout_redirect_uri=" \ - f"{self.authenticator.post_logout_redirect_uri}" + redirect_uri = ( + f"{redirect_uri}&post_logout_redirect_uri=" + f"{self.authenticator.post_logout_redirect_uri}" + ) return redirect_uri @@ -296,7 +298,9 @@ def _userdata_url_default(self): def _logout_redirect_url_default(self): return os.getenv("OAUTH_LOGOUT_REDIRECT_URL", "") - post_logout_redirect_uri = Unicode(config=True, help="The URI where the client is redirected after logout") + post_logout_redirect_uri = Unicode( + config=True, help="The URI where the client is redirected after logout" + ) @default("post_logout_redirect_uri") def _post_logout_redirect_uri(self): From a3144cb935665a9dad121de85553050f1110c7c5 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Langlois Date: Mon, 8 Aug 2022 13:40:34 -0400 Subject: [PATCH 4/7] returning early to minimize embedded if statement --- oauthenticator/oauth2.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index 9759304b..290a20b3 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -241,13 +241,19 @@ async def render_logout_page(self): async def get_post_redirect_uri(self): redirect_uri = self.authenticator.logout_redirect_url user = list(self.users.values()) - if user: - auth_state = await user[0].get_auth_state() - if auth_state['id_token']: - redirect_uri = f"{redirect_uri}?id_token_hint={auth_state['id_token']}" - if self.authenticator.post_logout_redirect_uri: - redirect_uri = f"{redirect_uri}&post_logout_redirect_uri=" \ - f"{self.authenticator.post_logout_redirect_uri}" + if not user: + return redirect_uri + + auth_state = await user[0].get_auth_state() + if not auth_state['id_token']: + return redirect_uri + + redirect_uri = f"{redirect_uri}?id_token_hint={auth_state['id_token']}" + if not self.authenticator.post_logout_redirect_uri: + return redirect_uri + + redirect_uri = f"{redirect_uri}&post_logout_redirect_uri=" \ + f"{self.authenticator.post_logout_redirect_uri}" return redirect_uri From 0f718caa2a3284fbe4c79f75eea21be688ff3eac Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 17:43:27 +0000 Subject: [PATCH 5/7] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- oauthenticator/oauth2.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index 33e102ff..ac7d9eeb 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -252,8 +252,10 @@ async def get_post_redirect_uri(self): if not self.authenticator.post_logout_redirect_uri: return redirect_uri - redirect_uri = f"{redirect_uri}&post_logout_redirect_uri=" \ - f"{self.authenticator.post_logout_redirect_uri}" + redirect_uri = ( + f"{redirect_uri}&post_logout_redirect_uri=" + f"{self.authenticator.post_logout_redirect_uri}" + ) return redirect_uri From fa5d72f54ad8f6931b72f19634ba59d859f2998a Mon Sep 17 00:00:00 2001 From: Pierre-Yves Langlois Date: Fri, 19 May 2023 10:38:39 -0400 Subject: [PATCH 6/7] Using url_concat to build the redirect_uri --- oauthenticator/oauth2.py | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index 9f6cc46d..8e0adce6 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -232,31 +232,27 @@ async def handle_logout(self): async def render_logout_page(self): if self.authenticator.logout_redirect_url: - redirect_uri = await self.get_post_redirect_uri() - self.redirect(redirect_uri) + redirect_uri_params = await self.get_redirect_uri_params() + url = url_concat(self.authenticator.logout_redirect_url, redirect_uri_params) + self.redirect(url) return return await super().render_logout_page() - async def get_post_redirect_uri(self): - redirect_uri = self.authenticator.logout_redirect_url + async def get_redirect_uri_params(self): + redirect_uri_params = dict() user = list(self.users.values()) if not user: - return redirect_uri + return redirect_uri_params auth_state = await user[0].get_auth_state() - if not auth_state['id_token']: - return redirect_uri + if auth_state['id_token']: + redirect_uri_params['id_token_hint'] = auth_state['id_token'] - redirect_uri = f"{redirect_uri}?id_token_hint={auth_state['id_token']}" - if not self.authenticator.post_logout_redirect_uri: - return redirect_uri + if self.authenticator.post_logout_redirect_uri: + redirect_uri_params['post_logout_redirect_uri'] = self.authenticator.post_logout_redirect_uri - redirect_uri = ( - f"{redirect_uri}&post_logout_redirect_uri=" - f"{self.authenticator.post_logout_redirect_uri}" - ) - return redirect_uri + return redirect_uri_params class OAuthenticator(Authenticator): @@ -489,7 +485,7 @@ async def fetch(self, req, label="fetching", parse_json=True, **kwargs): return resp async def httpfetch( - self, url, label="fetching", parse_json=True, raise_error=True, **kwargs + self, url, label="fetching", parse_json=True, raise_error=True, **kwargs ): """Wrapper for creating and fetching http requests From f57c84ed3ed47be1277490503ebcea6710a893a8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 19 May 2023 14:39:18 +0000 Subject: [PATCH 7/7] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- oauthenticator/oauth2.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index 8e0adce6..4a0e4712 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -233,7 +233,9 @@ async def handle_logout(self): async def render_logout_page(self): if self.authenticator.logout_redirect_url: redirect_uri_params = await self.get_redirect_uri_params() - url = url_concat(self.authenticator.logout_redirect_url, redirect_uri_params) + url = url_concat( + self.authenticator.logout_redirect_url, redirect_uri_params + ) self.redirect(url) return @@ -250,7 +252,9 @@ async def get_redirect_uri_params(self): redirect_uri_params['id_token_hint'] = auth_state['id_token'] if self.authenticator.post_logout_redirect_uri: - redirect_uri_params['post_logout_redirect_uri'] = self.authenticator.post_logout_redirect_uri + redirect_uri_params[ + 'post_logout_redirect_uri' + ] = self.authenticator.post_logout_redirect_uri return redirect_uri_params @@ -485,7 +489,7 @@ async def fetch(self, req, label="fetching", parse_json=True, **kwargs): return resp async def httpfetch( - self, url, label="fetching", parse_json=True, raise_error=True, **kwargs + self, url, label="fetching", parse_json=True, raise_error=True, **kwargs ): """Wrapper for creating and fetching http requests