Extended add_callbacks to deal with more callback uris.

Author: rohe

src/oidcrp/rp_handler.py

@@ -237,6 +237,30 @@ def do_provider_info(self, client=None, state='', behaviour_args=None):
             except KeyError:
                 return _context.get('issuer')
 
+    def add_callbacks(self, context):
+        _iss = context.get('issuer')
+        # Create the necessary callback URLs
+        # as a side effect self.hash2issuer is set
+        _extra_uris = {
+            "request_uri": False,
+            "backchannel_logout_uri": False,
+            "frontchannel_logout_uri": False
+        }
+        _pi = context.get('provider_info')
+        _cp = context.config.get("client_preferences")
+        if 'require_request_uri_registration' in _pi and "request_uri_usable" in _cp:
+            _extra_uris['request_uri'] = True
+        if 'frontchannel_logout_supported' in _pi and "frontchannel_logout_usable" in _cp:
+            _extra_uris["frontchannel_logout_uri"] = True
+        if 'backchannel_logout_supported' in _pi and "backchannel_logout_usable" in _cp:
+            _extra_uris["backchannel_logout_uri"] = True
+
+        callbacks = self.create_callbacks(_iss, **_extra_uris)
+
+        context.set('redirect_uris', [
+            v for k, v in callbacks.items() if not k.startswith('__')])
+        context.set('callback', callbacks)
+
     def do_client_registration(self, client=None,
                                iss_id: Optional[str] = '',
                                state: Optional[str] = '',
@@ -266,16 +290,7 @@ def do_client_registration(self, client=None,
 
         if not _context.client_id:  # means I have to do dynamic client registration
             if not _context.get('redirect_uris'):
-                # Create the necessary callback URLs
-                # as a side effect self.hash2issuer is set
-                if 'require_request_uri_registration' in _context.get('provider_info'):
-                    callbacks = self.create_callbacks(_iss, request_uri=True)
-                else:
-                    callbacks = self.create_callbacks(_iss)
-
-                _context.set('redirect_uris', [
-                    v for k, v in callbacks.items() if not k.startswith('__')])
-                _context.set('callback', callbacks)
+                self.add_callbacks(_context)
 
             if behaviour_args:
                 _params = RegistrationRequest().parameters()
@@ -285,19 +300,6 @@ def do_client_registration(self, client=None,
 
             load_registration_response(client, request_args=request_args)
 
-    def add_callbacks(self, service_context):
-        _iss = service_context.get('issuer')
-
-        if 'require_request_uri_registration' in service_context.get('provider_info'):
-            _callbacks = self.create_callbacks(_iss, request_uri=True)
-        else:
-            _callbacks = self.create_callbacks(_iss)
-
-        service_context.set('redirect_uris', [
-            v for k, v in _callbacks.items() if not k.startswith('__')])
-        service_context.set('callback', _callbacks)
-        return _callbacks
-
     def do_webfinger(self, user):
         """
         Does OpenID Provider Issuer discovery using webfinger.
@@ -356,12 +358,16 @@ def client_setup(self, iss_id='', user='', behaviour_args=None):
         self.issuer2rp[issuer] = client
         return client
 
-    def create_callbacks(self, issuer, request_uri=False):
+    def create_callbacks(self, issuer, request_uri=False, backchannel_logout_uri=False,
+                         frontchannel_logout_uri=False):
         """
         To mitigate some security issues the redirect_uris should be OP/AS
         specific. This method creates a set of redirect_uris unique to the
         OP/AS.
 
+        :param frontchannel_logout_uri: Whether a front-channel logout uri should be constructed
+        :param backchannel_logout_uri: Whether a back-channel logout uri should be constructed
+        :param request_uri: Whether a request_uri should be constructed
         :param issuer: Issuer ID
         :return: A set of redirect_uris
         """
@@ -379,6 +385,15 @@ def create_callbacks(self, issuer, request_uri=False):
         if request_uri:
             res["request_uri"] = f"{self.base_url}/req_uri/{_hex}"
 
+        if backchannel_logout_uri or frontchannel_logout_uri:
+            res["post_logout_redirect_uris"] = f"{self.base_url}/session_logout/{_hex}"
+
+        if backchannel_logout_uri:
+            res["backchannel_logout_uri"] = f"{self.base_url}/bc_logout/{_hex}"
+        if frontchannel_logout_uri:
+            res["frontchannel_logout_uri"] = f"{self.base_url}/fc_logout/{_hex}"
+
+        logger.debug(f"Created callback URIs: {res}")
         return res
 
     def _get_response_type(self, context, req_args: Optional[dict] = None):
@@ -678,7 +693,7 @@ def finalize_auth(self, client, issuer: str, response: dict,
 
     def get_access_and_id_token(self, authorization_response=None,
                                 state: Optional[str] = '',
-                                client: Optional[object] =None,
+                                client: Optional[object] = None,
                                 behaviour_args: Optional[dict] = None):
         """
         There are a number of services where access tokens and ID tokens can
@@ -830,7 +845,8 @@ def finalize(self, issuer, response, behaviour_args: Optional[dict] = None):
             'userinfo': inforesp,
             'state': authorization_response['state'],
             'token': token['access_token'],
-            'id_token': _id_token
+            'id_token': _id_token,
+            'session_state': authorization_response.get('session_state', '')
         }
 
     def has_active_authentication(self, state):
@@ -898,7 +914,9 @@ def get_valid_access_token(self, state):
             else:
                 raise OidcServiceError('No valid access token')
 
-    def logout(self, state, client=None, post_logout_redirect_uri=''):
+    def logout(self, state: str,
+               client: Optional[Client] = None,
+               post_logout_redirect_uri: Optional[str] = '') -> dict:
         """
         Does a RP initiated logout from an OP. After logout the user will be
         redirect by the OP to a URL of choice (post_logout_redirect_uri).
@@ -929,6 +947,17 @@ def logout(self, state, client=None, post_logout_redirect_uri=''):
 
         return resp
 
+    def close(self, state: str,
+              issuer: Optional[str] = '',
+              post_logout_redirect_uri: Optional[str] = '') -> dict:
+        if issuer:
+            client = self.issuer2rp[issuer]
+        else:
+            client = self.get_client_from_session_key(state)
+
+        return self.logout(state=state, client=client,
+                           post_logout_redirect_uri=post_logout_redirect_uri)
+
     def clear_session(self, state):
         client = self.get_client_from_session_key(state)
         client.client_get("service_context").state.remove_state(state)

src/oidcrp/service.py

@@ -344,7 +344,7 @@ def get_headers(self,
         return _headers
 
     def get_request_parameters(self, request_args=None, method="",
-                               request_body_type="", authn_method='', **kwargs):
+                               request_body_type="", authn_method='', **kwargs) -> dict:
         """
         Builds the request message and constructs the HTTP headers.
 

tests/pub_client.jwks

@@ -1 +1 @@
-{"keys": [{"kty": "RSA", "use": "sig", "kid": "SUswNi1MRFlDT0Y2YjU1Z1RfQlo2S3dEa3FTTkV3LThFcnhDTHF5elk2VQ", "e": "AQAB", "n": "0UkUx2ewKyc-XJ1o0ToyGjws_JybAMZj2oYjsPyyvQ_T5dhZ2VmRRRkhsaVJ2xE_GGc7mSG0IjmGFyXp5y0w4mJBcsAEE5-8eBTvQdYIryjW74r3jt6Fi4Hlm1yFMTie3apv8mw79BUj-jT0kh3_m-FiKKUvLsq45DcLtTJ4cx7Ize37dl1sFSpQcoYMk7eiUEM8fiNboiVwvBYNAWVMkUM-LnVUPm3UjvKp0LihYEkZFWOxmuQmj2x25SFUkjus38ERrRqJQBZduxdBHFrWtWg8yOA53BkMU0FFg_r0H3ctl-5GaKw-BWlogU4qXnsq85xy0EoenRk7FPV8g_ulJw"}, {"kty": "EC", "use": "sig", "kid": "NC1pdGRQN002bWM3bk1xX2R0SktscElqbFdtN29ITDV2WVd2b0hOYzREVQ", "crv": "P-256", "x": "kK7Qp1woSerI7rUOAwW_4sU6ZmwV3wwXKX3VU-v2fMI", "y": "iPWd_Pjq6EjxYy08KNFZ3PxhEwgWHgAQTTknlKMKJA0"}]}
+{"keys": [{"kty": "RSA", "use": "sig", "kid": "SUswNi1MRFlDT0Y2YjU1Z1RfQlo2S3dEa3FTTkV3LThFcnhDTHF5elk2VQ", "n": "0UkUx2ewKyc-XJ1o0ToyGjws_JybAMZj2oYjsPyyvQ_T5dhZ2VmRRRkhsaVJ2xE_GGc7mSG0IjmGFyXp5y0w4mJBcsAEE5-8eBTvQdYIryjW74r3jt6Fi4Hlm1yFMTie3apv8mw79BUj-jT0kh3_m-FiKKUvLsq45DcLtTJ4cx7Ize37dl1sFSpQcoYMk7eiUEM8fiNboiVwvBYNAWVMkUM-LnVUPm3UjvKp0LihYEkZFWOxmuQmj2x25SFUkjus38ERrRqJQBZduxdBHFrWtWg8yOA53BkMU0FFg_r0H3ctl-5GaKw-BWlogU4qXnsq85xy0EoenRk7FPV8g_ulJw", "e": "AQAB"}, {"kty": "EC", "use": "sig", "kid": "NC1pdGRQN002bWM3bk1xX2R0SktscElqbFdtN29ITDV2WVd2b0hOYzREVQ", "crv": "P-256", "x": "kK7Qp1woSerI7rUOAwW_4sU6ZmwV3wwXKX3VU-v2fMI", "y": "iPWd_Pjq6EjxYy08KNFZ3PxhEwgWHgAQTTknlKMKJA0"}]}

tests/test_20_rp_handler_oidc.py

@@ -898,7 +898,7 @@ def test_finalize(self):
         # assume code flow
         resp = self.rph.finalize(_session['iss'], auth_response.to_dict())
 
-        assert set(resp.keys()) == {'userinfo', 'state', 'token', 'id_token'}
+        assert set(resp.keys()) == {'userinfo', 'state', 'token', 'id_token', 'session_state'}
 
     def test_dynamic_setup(self):
         user_id = 'acct:foobar@example.com'