14 |
14 |
plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'
|
15 |
15 |
|
16 |
16 |
log = logging.getLogger(__name__)
|
17 |
|
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'
|
|
17 |
plugin_controller = __name__ + ':OpenidController'
|
18 |
18 |
|
19 |
19 |
_CLIENTS = {}
|
20 |
20 |
|
... | ... | |
55 |
55 |
map.connect('/organization/{id:.*}/callback',
|
56 |
56 |
controller=plugin_controller,
|
57 |
57 |
action='callback')
|
|
58 |
map.connect('/logout', controller=plugin_controller,
|
|
59 |
action='logout')
|
58 |
60 |
map.connect('/user/slo',
|
59 |
61 |
controller=plugin_controller,
|
60 |
|
action='slo')
|
|
62 |
action='slo',
|
|
63 |
conditions={'method': ['POST']})
|
61 |
64 |
map.redirect('/organization/{id:.*}/logout', '/user/_logout')
|
62 |
65 |
|
63 |
66 |
return map
|
... | ... | |
140 |
143 |
qualified=True)
|
141 |
144 |
toolkit.redirect_to(str(org_url))
|
142 |
145 |
|
|
146 |
def logout(self):
|
|
147 |
toolkit.c.slo_url = toolkit.url_for(host=request.host,
|
|
148 |
controller=plugin_controller,
|
|
149 |
action="slo",
|
|
150 |
qualified=True)
|
|
151 |
return base.render('logout_confirm.html')
|
|
152 |
|
143 |
153 |
def slo(self):
|
144 |
154 |
"""
|
145 |
155 |
Revokes the delivered access token. Logs out the user
|
146 |
156 |
"""
|
147 |
157 |
g = model.Group.get(session['organization_id'])
|
148 |
|
client = Clients.get(g)
|
149 |
|
logout_url = client.end_session_endpoint
|
150 |
158 |
org_url = toolkit.url_for(host=request.host,
|
151 |
159 |
controller='organization',
|
152 |
160 |
action='read',
|
153 |
161 |
id=g.name,
|
154 |
162 |
qualified=True)
|
155 |
|
redirect_uri = org_url + '/logout'
|
156 |
|
|
157 |
|
# revoke the access token
|
158 |
|
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
|
159 |
|
data = 'token=%s&token_type_hint=access_token' % client.access_token
|
160 |
|
client.http_request(client.revocation_endpoint, 'POST',
|
161 |
|
data=data, headers=headers)
|
162 |
|
|
163 |
|
# redirect to IDP logout
|
164 |
|
logout_url += '?id_token_hint=%s&' % client.id_token
|
165 |
|
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
|
166 |
|
toolkit.redirect_to(str(logout_url))
|
|
163 |
org_url = str(org_url)
|
|
164 |
|
|
165 |
if toolkit.c.user and request.method == 'POST':
|
|
166 |
client = Clients.get(g)
|
|
167 |
logout_url = client.end_session_endpoint
|
|
168 |
|
|
169 |
redirect_uri = org_url + '/logout'
|
|
170 |
|
|
171 |
# revoke the access token
|
|
172 |
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
|
|
173 |
data = 'token=' + client.access_token
|
|
174 |
data += '&token_type_hint=access_token'
|
|
175 |
client.http_request(client.revocation_endpoint, 'POST',
|
|
176 |
data=data, headers=headers)
|
|
177 |
|
|
178 |
# redirect to IDP logout
|
|
179 |
logout_url += '?id_token_hint=%s&' % client.id_token
|
|
180 |
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
|
|
181 |
toolkit.redirect_to(logout_url)
|
|
182 |
toolkit.redirect_to(org_url)
|
logout user only on POST request
Let the user confirm the logout via a form