Skip to content

Commit

Permalink
Merge pull request #111 from maykinmedia/issue/prevent-following-redi…
Browse files Browse the repository at this point in the history 
…rects-in-logout

Block following redirects in logout
  • Loading branch information
@stevenbal
stevenbal authored Jun 18, 2024
2 parents 68cd024 + de6aa48 commit 0145e61
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
6 changes: 5 additions & 1 deletion mozilla_django_oidc_db/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,11 @@ def do_op_logout(config: OpenIDConnectConfigBase, id_token: str) -> None:
if not logout_endpoint:
return

response = requests.post(logout_endpoint, data={"id_token_hint": id_token})
response = requests.post(
logout_endpoint,
data={"id_token_hint": id_token},
allow_redirects=False,
)
if not response.ok:
logger.warning(
"Failed to log out the user at the OpenID Provider. Status code: %s",
Expand Down
14 changes: 14 additions & 0 deletions tests/test_logout.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,3 +86,17 @@ def test_logout_with_logout_endpoint_configured(

assert kc_response.status_code == 200, "Did not end up on Keycloak's login page"
assert kc_response.headers["Content-Type"].startswith("text/html")


@pytest.mark.oidcconfig(oidc_op_logout_endpoint="https://example.com/oidc/logout")
def test_logout_response_has_redirect(dummy_config: OpenIDConnectConfig, requests_mock):
requests_mock.post(
"https://example.com/oidc/logout",
status_code=302,
headers={"Location": "http://testserver/endpoint-that-does-not-exist"},
)

try:
do_op_logout(dummy_config, id_token="dummy-id-token")
except Exception:
pytest.fail("Logout should not crash")

0 comments on commit 0145e61

Please sign in to comment.