Revision 1c8b9fc4
Added by Serghei Mihai about 10 years ago
| ckanext/ozwillo_pyoidc/plugin.py | ||
|---|---|---|
| 14 | 14 |
plugin_config_prefix = 'ckanext.ozwillo_pyoidc.' |
| 15 | 15 |
|
| 16 | 16 |
log = logging.getLogger(__name__) |
| 17 |
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'
|
|
| 17 |
plugin_controller = __name__ + ':OpenidController'
|
|
| 18 | 18 |
|
| 19 | 19 |
_CLIENTS = {}
|
| 20 | 20 |
|
| ... | ... | |
| 55 | 55 |
map.connect('/organization/{id:.*}/callback',
|
| 56 | 56 |
controller=plugin_controller, |
| 57 | 57 |
action='callback') |
| 58 |
map.connect('/logout', controller=plugin_controller,
|
|
| 59 |
action='logout') |
|
| 58 | 60 |
map.connect('/user/slo',
|
| 59 | 61 |
controller=plugin_controller, |
| 60 |
action='slo') |
|
| 62 |
action='slo', |
|
| 63 |
conditions={'method': ['POST']})
|
|
| 61 | 64 |
map.redirect('/organization/{id:.*}/logout', '/user/_logout')
|
| 62 | 65 |
|
| 63 | 66 |
return map |
| ... | ... | |
| 140 | 143 |
qualified=True) |
| 141 | 144 |
toolkit.redirect_to(str(org_url)) |
| 142 | 145 |
|
| 146 |
def logout(self): |
|
| 147 |
toolkit.c.slo_url = toolkit.url_for(host=request.host, |
|
| 148 |
controller=plugin_controller, |
|
| 149 |
action="slo", |
|
| 150 |
qualified=True) |
|
| 151 |
return base.render('logout_confirm.html')
|
|
| 152 |
|
|
| 143 | 153 |
def slo(self): |
| 144 | 154 |
""" |
| 145 | 155 |
Revokes the delivered access token. Logs out the user |
| 146 | 156 |
""" |
| 147 | 157 |
g = model.Group.get(session['organization_id']) |
| 148 |
client = Clients.get(g) |
|
| 149 |
logout_url = client.end_session_endpoint |
|
| 150 | 158 |
org_url = toolkit.url_for(host=request.host, |
| 151 | 159 |
controller='organization', |
| 152 | 160 |
action='read', |
| 153 | 161 |
id=g.name, |
| 154 | 162 |
qualified=True) |
| 155 |
redirect_uri = org_url + '/logout' |
|
| 156 |
|
|
| 157 |
# revoke the access token |
|
| 158 |
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
|
|
| 159 |
data = 'token=%s&token_type_hint=access_token' % client.access_token |
|
| 160 |
client.http_request(client.revocation_endpoint, 'POST', |
|
| 161 |
data=data, headers=headers) |
|
| 162 |
|
|
| 163 |
# redirect to IDP logout |
|
| 164 |
logout_url += '?id_token_hint=%s&' % client.id_token |
|
| 165 |
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri |
|
| 166 |
toolkit.redirect_to(str(logout_url)) |
|
| 163 |
org_url = str(org_url) |
|
| 164 |
|
|
| 165 |
if toolkit.c.user and request.method == 'POST': |
|
| 166 |
client = Clients.get(g) |
|
| 167 |
logout_url = client.end_session_endpoint |
|
| 168 |
|
|
| 169 |
redirect_uri = org_url + '/logout' |
|
| 170 |
|
|
| 171 |
# revoke the access token |
|
| 172 |
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
|
|
| 173 |
data = 'token=' + client.access_token |
|
| 174 |
data += '&token_type_hint=access_token' |
|
| 175 |
client.http_request(client.revocation_endpoint, 'POST', |
|
| 176 |
data=data, headers=headers) |
|
| 177 |
|
|
| 178 |
# redirect to IDP logout |
|
| 179 |
logout_url += '?id_token_hint=%s&' % client.id_token |
|
| 180 |
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri |
|
| 181 |
toolkit.redirect_to(logout_url) |
|
| 182 |
toolkit.redirect_to(org_url) |
|
Also available in: Unified diff
logout user only on POST request
Let the user confirm the logout via a form