fix: ignore instead of throw on unverified post_logout_redirect_uri

panva · Sep 13, 2022 · 04b1096 · 04b1096
1 parent 0fcc112
commit 04b1096
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 44 deletions.
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ _Note that not all features are enabled by default, check the configuration sect
 - [RFC6749 - OAuth 2.0][oauth2] & [OpenID Connect Core 1.0][core]
 - [OpenID Connect Discovery 1.0][discovery]
 - [OpenID Connect Dynamic Client Registration 1.0][registration] and [RFC7591 - OAuth 2.0 Dynamic Client Registration Protocol][oauth2-registration]
+- [OpenID Connect RP-Initiated Logout 1.0][rpinitiated-logout]
 - [OAuth 2.0 Form Post Response Mode][form-post]
 - [RFC7009 - OAuth 2.0 Token Revocation][revocation]
 - [RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol][registration-management]
@@ -49,7 +50,6 @@ The following draft specifications are implemented by oidc-provider:
 - [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop]
 - [OpenID Connect Back-Channel Logout 1.0 - draft 07][backchannel-logout]
-- [OpenID Connect RP-Initiated Logout 1.0 - draft 02][rpinitiated-logout]
 
 Updates to draft specification versions are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -146,7 +146,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [paseto-at]: https://paseto.io
 [support-sponsor]: https://github.com/sponsors/panva
 [par]: https://www.rfc-editor.org/rfc/rfc9126.html
-[rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html
+[rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html
 [iss-auth-resp]: https://www.rfc-editor.org/rfc/rfc9207.html
 [fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
 [ciba]: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html

diff --git a/certification/oidc/plan.json b/certification/oidc/plan.json
@@ -778,25 +778,36 @@
                   ]
               },
               {
-                  "comment": "expect an immediate error page",
-                  "match": "https://op.panva.cz/session/end*",
-                  "tasks": [
-                      {
-                          "task": "Expect error page",
-                          "match": "https://op.panva.cz/session/end*",
-                          "commands": [
-                              [
-                                  "wait",
-                                  "xpath",
-                                  "//*",
-                                  10,
-                                  "post_logout_redirect_uri can only be used in combination with id_token_hint",
-                                  "update-image-placeholder"
-                              ]
-                          ]
-                      }
-                  ]
-              }
+                "comment": "wait for the logout success",
+                "match": "https://op.panva.cz/session/end*",
+                "tasks": [
+                    {
+                        "task": "Choose logout option",
+                        "match": "https://op.panva.cz/session/end*",
+                        "commands": [
+                            [
+                                "click",
+                                "css",
+                                "button[autofocus] "
+                            ]
+                        ]
+                    },
+                    {
+                        "task": "Expect success page",
+                        "match": "https://op.panva.cz/session/end/success",
+                        "commands": [
+                            [
+                                "wait",
+                                "xpath",
+                                "//*",
+                                10,
+                                "Sign-out Success",
+                                "update-image-placeholder"
+                            ]
+                        ]
+                    }
+                ]
+            }
           ]
       },
       "oidcc-rp-initiated-logout-no-params" : {

diff --git a/docs/README.md b/docs/README.md
@@ -1863,7 +1863,7 @@ _**default value**_:
 
 ### features.rpInitiatedLogout
 
-[RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html)  
+[RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)  
 
 Enables RP-Initiated Logout features  
 

diff --git a/lib/actions/end_session.js b/lib/actions/end_session.js
@@ -68,7 +68,7 @@ module.exports = {
           throw new InvalidRequest('post_logout_redirect_uri not registered');
         }
       } else if (params.post_logout_redirect_uri !== undefined) {
-        throw new InvalidRequest('post_logout_redirect_uri can only be used in combination with id_token_hint or client_id');
+        params.post_logout_redirect_uri = undefined;
       }
 
       await next();

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -1289,7 +1289,7 @@ function getDefaults() {
       /*
        * features.rpInitiatedLogout
        *
-       * title: [RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html)
+       * title: [RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)
        *
        * description: Enables RP-Initiated Logout features
        */

diff --git a/test/end_session/end_session.test.js b/test/end_session/end_session.test.js
@@ -262,28 +262,17 @@ describe('logout endpoint', () => {
                 expect(postLogoutRedirectUri).to.be.undefined;
               });
           });
-        });
 
-        it('without id_token_hint or client_id post_logout_redirect_uri may not be provided', function () {
-          const emitSpy = sinon.spy();
-          const renderSpy = sinon.spy(i(this.provider).configuration(), 'renderError');
-          this.provider.once('end_session.error', emitSpy);
-          const params = {
-            post_logout_redirect_uri: 'https://client.example.com/callback/logout',
-          };
+          it('ignores unverified post_logout_redirect_uri', function () {
+            const params = { post_logout_redirect_uri: 'https://client.example.com/logout/cb' };
 
-          return this.agent.get(route)
-            .set('Accept', 'text/html')
-            .query(params)
-            .expect(400)
-            .expect(() => {
-              expect(emitSpy.calledOnce).to.be.true;
-              expect(renderSpy.calledOnce).to.be.true;
-              const renderArgs = renderSpy.args[0];
-              expect(renderArgs[1]).to.have.property('error', 'invalid_request');
-              expect(renderArgs[1]).to.have.property('error_description', 'post_logout_redirect_uri can only be used in combination with id_token_hint or client_id');
-              expect(renderArgs[2]).to.be.an.instanceof(InvalidRequest);
-            });
+            return this.wrap({ route, verb, params })
+              .expect(200)
+              .expect(() => {
+                const { state: { postLogoutRedirectUri } } = this.getSession();
+                expect(postLogoutRedirectUri).to.be.undefined;
+              });
+          });
         });
 
         it('validates post_logout_redirect_uri allowed on client', function () {