From de05cec17b6492b5a9d7808acf019e0f5aaa4da8 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 19 May 2022 22:04:25 +0200
Subject: [PATCH] idp_oidc: add iss and sid parameter to
 frontchannel_logout_uri (#65475)

---
 src/authentic2_idp_oidc/utils.py | 7 ++++---
 tests/idp_oidc/test_misc.py      | 4 +++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/authentic2_idp_oidc/utils.py b/src/authentic2_idp_oidc/utils.py
index 39bdf5cc..76ed2df5 100644
--- a/src/authentic2_idp_oidc/utils.py
+++ b/src/authentic2_idp_oidc/utils.py
@@ -30,6 +30,7 @@ from jwcrypto.jwt import JWT
 from authentic2 import hooks
 from authentic2.attributes_ng.engine import get_attributes
 from authentic2.utils import crypto
+from authentic2.utils.misc import make_url
 from authentic2.utils.template import Template
 
 from . import app_settings
@@ -294,13 +295,13 @@ def add_oidc_session(request, client):
     oidc_sessions = request.session.setdefault('oidc_sessions', {})
     if not client.frontchannel_logout_uri:
         return
-    uri = client.frontchannel_logout_uri
+    sid = get_session_id(request, client)
+    iss = get_issuer(request)
+    uri = make_url(client.frontchannel_logout_uri, params={'iss': iss, 'sid': sid}, resolve=False)
     oidc_session = {
         'frontchannel_logout_uri': uri,
         'frontchannel_timeout': client.frontchannel_timeout,
         'name': client.name,
-        'sid': get_session_id(request, client),
-        'iss': get_issuer(request),
     }
     if oidc_sessions.get(uri) == oidc_session:
         # already present
diff --git a/tests/idp_oidc/test_misc.py b/tests/idp_oidc/test_misc.py
index 3f7f1188..b8c8e8d8 100644
--- a/tests/idp_oidc/test_misc.py
+++ b/tests/idp_oidc/test_misc.py
@@ -398,8 +398,10 @@ def test_authorization_code_sso(
         response = app.get(make_url('account_management'))
         response = response.click('Logout')
         if oidc_client.frontchannel_logout_uri:
-            iframes = response.pyquery('iframe[src="https://example.com/southpark/logout/"]')
+            iframes = response.pyquery('iframe[src^="https://example.com/southpark/logout/"]')
             assert iframes
+            assert '?iss=' in iframes.attr('src')
+            assert '&sid=' in iframes.attr('src')
             if oidc_client.frontchannel_timeout:
                 assert iframes.attr('onload').endswith(', %d)' % oidc_client.frontchannel_timeout)
             else:
-- 
2.35.1